From 9074ad93c6675cdb603b85d85a8090100058f81b Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sun, 25 Sep 2022 17:24:06 +0200
Subject: build: harden workflow permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/cygwin.yml  | 3 +++
 .github/workflows/images.yml  | 3 +++
 .github/workflows/website.yml | 3 +++
 3 files changed, 9 insertions(+)

(limited to '.github')

diff --git a/.github/workflows/cygwin.yml b/.github/workflows/cygwin.yml
index d95c7b3c6..5b1cd95ec 100644
--- a/.github/workflows/cygwin.yml
+++ b/.github/workflows/cygwin.yml
@@ -18,6 +18,9 @@ on:
       - ".github/workflows/cygwin.yml"
       - "run*tests.py"
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: windows-latest
diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml
index 655d478ce..dd4fe9ac4 100644
--- a/.github/workflows/images.yml
+++ b/.github/workflows/images.yml
@@ -23,6 +23,9 @@ on:
   schedule:
     - cron: '0 0 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     # do not run the weekly scheduled job in a fork
diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
index 3fac07f58..3b1d517a1 100644
--- a/.github/workflows/website.yml
+++ b/.github/workflows/website.yml
@@ -19,6 +19,9 @@ on:
     types:
       - published
 
+permissions:
+  contents: write # for release creation (svenstaro/upload-release-action)
+
 # This job is copy/paster into wrapdb CI, please update it there when doing any
 # change here.
 jobs:
-- 
cgit v1.2.3