From d40edc19333300b6c36dac94e4412e4881fcff18 Mon Sep 17 00:00:00 2001
From: nathannaveen <42319948+nathannaveen@users.noreply.github.com>
Date: Tue, 10 May 2022 16:24:30 -0400
Subject: [PATCH] Set permissions for GitHub actions (#6044)

Explicitly restrict the permissions used by the boulder-ci workflow jobs.
---
 .github/workflows/boulder-ci.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/boulder-ci.yml b/.github/workflows/boulder-ci.yml
index ff185b04f..b1694bb62 100644
--- a/.github/workflows/boulder-ci.yml
+++ b/.github/workflows/boulder-ci.yml
@@ -17,6 +17,9 @@ on:
   workflow_dispatch:
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
+permissions:
+  contents: read
+
 jobs:
   #  Main test jobs. This looks like a single job, but the matrix
   #  items will multiply it. For example every entry in the
@@ -102,6 +105,8 @@ jobs:
   # one static job name that can be used to determine success of the job
   # in GitHub branch protection.
   boulder_ci_test_matrix_status:
+    permissions:
+      contents: none
     if: ${{ always() }}
     runs-on: ubuntu-latest
     name: Boulder CI Test Matrix