codeql-permission-classificationlisted

# CodeQL Permission Classification Single source of truth for GitHub Actions permission requirements. ## Permission Types GitHub Actions provides these permission scopes: ```text contents # Read/write repository content (checkout, tags, releases) pull-requests # Read/write PR comments, reviews, assignments issues # Read/write issue comments, labels, projects deployments # Read/write deployment status packages # Read/write packages actions # Read/write GitHub Actions (runners, artifacts, caches) checks # Read/write check runs and annotations statuses # Read/write commit statuses security-events # Read/write code scanning and secret scanning results ``` ## Common Actions → Permissions Matrix | Action | Required Permissions | Use Case | |--------|----------------------|----------| | `actions/checkout@v6` | `contents: read` | Clone repository | | `actions/upload-artifact@v6` | None (usually) | Store build artifacts | | `actions/download-artifact@v6` | None (usually) | Retrieve artifacts | | `actions/setup-node@v6` | None | Install Node.js | | `actions/github-script@v6` | Depends on script | Usually `contents: read` minimum | | `actions/create-release@v1` | `contents: write` | Create GitHub release | | `github/codeql-action/upload-sarif@v2` | `security-events: write` | Upload CodeQL results | ## Decision Tree **Q1: Does your job use `actions/checkout`?** - YES → Add `contents: read` -