From 37ab2e469b59fe4cedc06c7a06fe18b008e1cb9a Mon Sep 17 00:00:00 2001
From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Date: Tue, 5 Nov 2024 04:58:52 -0500
Subject: [PATCH] Add Actions permissions analysis to the `CodeQL` workflow

Add the GitHubSecurityLab/actions-permissions/monitor Action just as it
is in the `build` and `sync-labels` workflows.
---
 .github/workflows/codeql-analysis.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index d0973601..6dfac939 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -26,6 +26,12 @@ jobs:
     steps:
       # Note that a duplicate of this step must be added at the top of
       # each job.
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
@@ -56,6 +62,10 @@ jobs:
         # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
 
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2