From 311956ccd91614a7d5fb8cbb458fb8dc6fdfcf97 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Sat, 13 Nov 2021 14:40:20 +0000
Subject: [PATCH] ci: tighten several GHActions a bit more

with https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#permissions
---
 .github/workflows/build_test.yml | 2 ++
 .github/workflows/cifuzz.yml     | 3 +++
 .github/workflows/coverity.yml   | 2 ++
 .github/workflows/labeler.yml    | 4 ++++
 .github/workflows/linter.yml     | 2 ++
 .github/workflows/mkosi.yml      | 2 ++
 .github/workflows/unit_tests.yml | 2 ++
 7 files changed, 17 insertions(+)

diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
index 5f2959871b2..c446fc41ba1 100644
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -12,6 +12,8 @@ on:
       - 'src/**'
       - 'test/fuzz/**'
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index 2b5dba17570..6c02b1da1e5 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -4,6 +4,9 @@
 # See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/
 
 name: CIFuzz
+
+permissions: read-all
+
 on:
   pull_request:
     paths:
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index c43041f37d4..7b1d1217f38 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -9,6 +9,8 @@ on:
     # Run Coverity daily at midnight
     - cron:  '0 0 * * *'
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index ee238c2fa71..800f8877a3f 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -7,6 +7,10 @@ name: "Pull Request Labeler"
 on:
 - pull_request_target
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   triage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index cd23fd1946a..3905b7a6438 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -10,6 +10,8 @@ on:
       - main
       - v[0-9]+-stable
 
+permissions: read-all
+
 jobs:
   build:
     name: Lint Code Base
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 7f8e98fcc7d..533c8be9680 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -14,6 +14,8 @@ on:
       - main
       - v[0-9]+-stable
 
+permissions: read-all
+
 jobs:
   ci:
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index 844784eff1d..3f37fe866bc 100644
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -9,6 +9,8 @@ on:
       - main
       - v[0-9]+-stable
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-20.04
-- 
2.47.3