From 0457cc559e0bdbb205880fa230cb22078f247dae Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Thu, 23 Feb 2023 13:47:48 +0100
Subject: [PATCH] .github: allow only read permission in sonar-check.yml

---
 .github/workflows/sonar-check.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/sonar-check.yml b/.github/workflows/sonar-check.yml
index 2e8c28a3ce6..0b5e4472844 100644
--- a/.github/workflows/sonar-check.yml
+++ b/.github/workflows/sonar-check.yml
@@ -19,6 +19,9 @@ name: Sonar Quality Check
 
 on: [pull_request_target]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true