From 09ac271a0f3c7c959ba31c16c744249bd30a3263 Mon Sep 17 00:00:00 2001
From: Cedric-Magnan <43343135+Cedric-Magnan@users.noreply.github.com>
Date: Thu, 9 Nov 2023 20:45:43 +0100
Subject: [PATCH] Update cd.yml

---
 .github/workflows/cd.yml | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 279d331..1504d5e 100755
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -4,32 +4,27 @@ on:
     types: [published]
 
 jobs:
-
   docker:
-
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
     runs-on: ubuntu-latest
-
     steps:
-
     - name: Checkout
       uses: actions/checkout@v2
-
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v1
-
     - name: Login to Github Container Registry
       uses: docker/login-action@v1
       with:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
         registry: ghcr.io
-
     - name: Set tag name
       id: tag
       run: echo ::set-output name=tag_name::${GITHUB_REF#*\/*\/}
       env:
         GITHUB_REF: ${{ github.ref }}
-
     - name: Build and push
       uses: docker/build-push-action@v2
       with:
@@ -41,14 +36,12 @@ jobs:
           ghcr.io/artefactory/github_tests_validator_app:latest
         cache-from: type=registry,ref=ghcr.io/artefactory/github_tests_validator_app:latest
         cache-to: type=inline
-
     - name: Scan image
       uses: anchore/scan-action@v3
       id: scan
       with:
         image: "ghcr.io/artefactory/github_tests_validator_app:${{ steps.tag.outputs.tag_name }}"
         severity-cutoff: "low"
-
     - name: upload Anchore scan SARIF report
       if: success() || failure()
       uses: github/codeql-action/upload-sarif@v2