fix: sarif

.github/workflows/build.yml

@@ -5,9 +5,9 @@ on:
     tags:
       - '*'
 
-defaults:
-  run:
-    shell: bash
+
+permissions:
+  contents: read
 
 jobs:
   build-push:
@@ -36,6 +36,9 @@ jobs:
             VERSION=${{ github.ref_name }}
 
   analysis:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
     needs: build-push
     name: Vulnerability scanner for containers
     runs-on: ubuntu-latest
@@ -51,6 +54,6 @@ jobs:
           timeout: 15m
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'