From 065f5ffc5ae107f752b908d1c81e4c4f3e26e7b7 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Fri, 7 Oct 2022 15:39:00 +0300
Subject: [PATCH] ci: harden permissions for GitHub Workflows (#11174)

* build: harden main.yml permissions
Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden project.yml permissions
Signed-off-by: Alex <aleksandrosansan@gmail.com>

* Update project.yml

The permissions are not necessary, because a separate token is used `GITHUB_TOKEN: ${{ secrets.PROJECT_TOKEN }}`
---
 .github/workflows/main.yml    | 3 +++
 .github/workflows/project.yml | 1 +
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 50e00f9c9..57a1e3833 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -14,6 +14,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   tests:
     name: Run tests
diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml
index b2219893d..999cc08e2 100644
--- a/.github/workflows/project.yml
+++ b/.github/workflows/project.yml
@@ -9,6 +9,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions: {}
 jobs:
   add-to-project:
     name: Add to project