From 54540b17638fd3c7c8d027d473d469c2f4c17eb0 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sun, 25 Sep 2022 00:47:51 +0200
Subject: [PATCH] ci: GitHub Workflows security hardening (#5405)

* build: harden ci.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden update-latest.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/ci.yml            | 3 +++
 .github/workflows/update-latest.yml | 1 +
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f83c237a366..c1beb282ee6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,6 +2,9 @@ name: CI
 
 on: [push, pull_request]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/update-latest.yml b/.github/workflows/update-latest.yml
index c0bd2fd7265..17147a2b50d 100644
--- a/.github/workflows/update-latest.yml
+++ b/.github/workflows/update-latest.yml
@@ -11,6 +11,7 @@ on:
         default: latest
         required: true
 
+permissions: {}
 jobs:
   build:
     name: Tagging ${{ github.event.inputs.version }} as ${{ github.event.inputs.tag }}