Update cd.yml

.github/workflows/cd.yml

@@ -4,32 +4,27 @@ on:
     types: [published]
 
 jobs:
-
   docker:
-
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
     runs-on: ubuntu-latest
-
     steps:
-
     - name: Checkout
       uses: actions/checkout@v2
-
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v1
-
     - name: Login to Github Container Registry
       uses: docker/login-action@v1
       with:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
         registry: ghcr.io
-
     - name: Set tag name
       id: tag
       run: echo ::set-output name=tag_name::${GITHUB_REF#*\/*\/}
       env:
         GITHUB_REF: ${{ github.ref }}
-
     - name: Build and push
       uses: docker/build-push-action@v2
       with:
@@ -41,14 +36,12 @@ jobs:
           ghcr.io/artefactory/github_tests_validator_app:latest
         cache-from: type=registry,ref=ghcr.io/artefactory/github_tests_validator_app:latest
         cache-to: type=inline
-
     - name: Scan image
       uses: anchore/scan-action@v3
       id: scan
       with:
         image: "ghcr.io/artefactory/github_tests_validator_app:${{ steps.tag.outputs.tag_name }}"
         severity-cutoff: "low"
-
     - name: upload Anchore scan SARIF report
       if: success() || failure()
       uses: github/codeql-action/upload-sarif@v2