From c9b6aee07e98596593e5709d3687092feeabe808 Mon Sep 17 00:00:00 2001
From: Josh Soref <2119212+jsoref@users.noreply.github.com>
Date: Wed, 17 Jun 2026 10:52:02 -0400
Subject: [PATCH 1/2] Fix codeql workflow permissions (#993)

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
---
 .github/workflows/codeql-analysis.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 7a8261238..1964b62fc 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -10,5 +10,8 @@ on:
 
 jobs:
   call-codeQL-analysis:
+    permissions:
+      actions: read
+      security-events: write
     name: CodeQL analysis
     uses: actions/reusable-workflows/.github/workflows/codeql-analysis.yml@main

From bc52a13212ed712059892c2a00fd554f25c78125 Mon Sep 17 00:00:00 2001
From: George Adams <gdams@github.com>
Date: Wed, 17 Jun 2026 07:58:23 -0700
Subject: [PATCH 2/2] fix CodeQL permissions (#1025)

---
 .github/workflows/codeql-analysis.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 1964b62fc..1816c150c 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -12,6 +12,7 @@ jobs:
   call-codeQL-analysis:
     permissions:
       actions: read
+      contents: read
       security-events: write
     name: CodeQL analysis
     uses: actions/reusable-workflows/.github/workflows/codeql-analysis.yml@main