From b931ba271bba4fda387e3ed0b5a4ee60623f3309 Mon Sep 17 00:00:00 2001
From: Emil Velikov <emil.l.velikov@gmail.com>
Date: Fri, 16 Aug 2024 16:41:28 +0100
Subject: [PATCH] ci: use read-only workflow tokens

Seemingly the defaults are write-all, which means the action can push
pages, accept PRs and others.

This is another suggestion I've seen by the GOSST folks.

Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Link: https://github.com/kmod-project/kmod/pull/76
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
---
 .github/workflows/codespell.yml | 3 +++
 .github/workflows/main.yml      | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index 16856663..0ef74864 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   spellcheck:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 056005c2..2d63660b 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
-- 
2.47.3