From 21753283b1691aaa249066511bd15d389061e9fe Mon Sep 17 00:00:00 2001
From: Andrew Eisenberg <aeisenberg@github.com>
Date: Mon, 9 Aug 2021 11:40:19 -0700
Subject: [PATCH]  Updates the permissions block to be minimal

 And adds a permissions block to the README.
---
 .github/workflows/codeql.yml | 4 ----
 CHANGELOG.md                 | 2 +-
 README.md                    | 8 ++++++++
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 37d759d354..3d5ccade28 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -17,8 +17,6 @@ jobs:
       versions: ${{ steps.compare.outputs.versions }}
 
     permissions:
-      actions: read
-      contents: read
       security-events: write
 
     steps:
@@ -68,8 +66,6 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     permissions:
-      actions: read
-      contents: read
       security-events: write
 
     steps:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6268516918..ed86b9a93b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 ## [UNRELEASED]
 
-No user facing changes.
+- Update README to include a sample permissions block. [#689](https://github.com/github/codeql-action/pull/689)
 
 ## 1.0.10 - 03 Aug 2021
 
diff --git a/README.md b/README.md
index f1bfdcaf82..36a13b6fdb 100644
--- a/README.md
+++ b/README.md
@@ -42,6 +42,14 @@ jobs:
     # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
     runs-on: ubuntu-latest
 
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2