From f1327dca09a6d87c7443d89a1cb6e6222b97c44d Mon Sep 17 00:00:00 2001
From: Soule BA <bah.soule@gmail.com>
Date: Thu, 20 Jan 2022 16:35:43 +0100
Subject: [PATCH] Add Permissions to github Workflows

Improve GITHUB_TOKEN permissions in the workflows.

Signed-off-by: Soule BA <bah.soule@gmail.com>
---
 .github/workflows/cifuzz.yaml | 4 ++++
 .github/workflows/e2e.yaml    | 3 +++
 .github/workflows/nightly.yml | 3 +++
 .github/workflows/rebase.yml  | 5 +++++
 .github/workflows/scan.yml    | 4 ++++
 5 files changed, 19 insertions(+)

diff --git a/.github/workflows/cifuzz.yaml b/.github/workflows/cifuzz.yaml
index 202ce96..891c4e4 100644
--- a/.github/workflows/cifuzz.yaml
+++ b/.github/workflows/cifuzz.yaml
@@ -3,6 +3,10 @@ on:
   pull_request:
     branches:
       - main
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+  
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 9364198..2a8efd0 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+  
 jobs:
   kind:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 0d60165..6f1dc2d 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -7,6 +7,9 @@ on:
 env:
   REPOSITORY: ${{ github.repository }}
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+  
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml
index 74a9049..3ba814d 100644
--- a/.github/workflows/rebase.yml
+++ b/.github/workflows/rebase.yml
@@ -6,6 +6,11 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+  pull-requests: read
+  repository-projects: write
+
 jobs:
   rebase:
     if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && (github.event.comment.author_association == 'CONTRIBUTOR' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER')
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index fd0fbae..8150f17 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -8,6 +8,10 @@ on:
   schedule:
     - cron: '18 10 * * 3'
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for codeQL to write security events
+  
 jobs:
   fossa:
     name: FOSSA