From ee777eb116a60d96a25bd1715e841573d4f10f00 Mon Sep 17 00:00:00 2001
From: Terri Oda <terri@toybox.ca>
Date: Thu, 6 Jun 2024 13:56:15 -0700
Subject: [PATCH] docs: workflow permissions match openssf guidance

Current OpenSSF guidance recommends making the top-level permission
read-only and setting permissions per-job (so if someone adds a new job
later it doesn't get surprisingl permissions).

Signed-off-by: Terri Oda <terri.oda@intel.com>
---
 README.md | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index cbe2d8c..bdd2fce 100644
--- a/README.md
+++ b/README.md
@@ -63,11 +63,13 @@ on:
     - cron: '20 2 * * *'
 
 permissions:
-  security-events: write
+  contents: read
 
 jobs:
   scan:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - uses: intel/cve-bin-tool-action@main
         with:
@@ -87,11 +89,13 @@ on:
   workflow_dispatch:
 
 permissions:
-  security-events: write
+  contents: read
 
 jobs:
   scan:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - uses: intel/cve-bin-tool-action@main
         with:
@@ -110,11 +114,13 @@ on:
   workflow_dispatch:
 
 permissions:
-  security-events: write
+  contents: read
 
 jobs:
   scan:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - name: Setup node v16 (for build process)
         run: |
@@ -135,13 +141,15 @@ on:
     - cron: '20 2 * * *'
 
 permissions:
-  security-events: write
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   scan:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: write
+      pull-requests: write
     steps:
       - uses: intel/cve-bin-tool-action@main
         with: