From 4da24b8a0ca3361360e81adf8dfb4e32c325af1f Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Mon, 21 Jul 2025 08:44:58 -0400
Subject: [PATCH] Limit permissions of govulncheck workflow

---
 .github/workflows/govulncheck.yml | 3 +++
 .github/workflows/lint.yml        | 2 --
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index ada58c550..42d94077c 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -5,6 +5,9 @@ on:
 jobs:
   govulncheck:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - name: Check out code
         uses: actions/checkout@v4
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 771362b44..5281a46d0 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -16,10 +16,8 @@ on:
       - go.sum
       - ".github/licenses.tmpl"
       - "script/licenses*"
-
 permissions:
   contents: read
-
 jobs:
   lint:
     runs-on: ubuntu-latest