From bc84a61a9dd907525497aa39a8d1b4af6bbea6fc Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Thu, 3 Nov 2022 17:21:16 +0200
Subject: [PATCH] build: GitHub Workflows security hardening (#2238)

* build: harden ci.yaml permissions
Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden release-please.yml permissions
Signed-off-by: Alex <aleksandrosansan@gmail.com>

Co-authored-by: Benjamin E. Coe <bencoe@google.com>
---
 .github/workflows/ci.yaml            | 3 +++
 .github/workflows/release-please.yml | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 090e8a2c7..cb0eb0bce 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -5,6 +5,9 @@ on:
   pull_request:
     types: [ assigned, opened, synchronize, reopened, labeled ]
 name: ci
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index d8d53bf9d..ce806bd7d 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -3,8 +3,13 @@ on:
      branches:
        - main
 name: release-please
+permissions: {}
 jobs:
   release-please:
+    permissions:
+      contents: write # to create release commit (google-github-actions/release-please-action)
+      pull-requests: write # to create release PR (google-github-actions/release-please-action)
+
     runs-on: ubuntu-latest
     steps:
       - uses: google-github-actions/release-please-action@v3