From 05e1cf390731839b21939651c6c87dfc33c76f8b Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sat, 24 Sep 2022 22:23:00 +0200
Subject: [PATCH 1/2] build: harden main.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/main.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 29a55f44d4..e6be9f4a1a 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,5 +1,7 @@
 name: main
 on: [ push, pull_request ]
+permissions:
+  contents: read # to fetch code (actions/checkout)
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -220,6 +222,8 @@ jobs:
           php ocular.phar code-coverage:upload --format=php-clover coverage-clover.xml
 
   release:
+    permissions:
+      contents: write # to create a release (actions/create-release)
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
     steps:

From 6ef22d92ee63b361e4bb6d1e554d99c8bc4f149d Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sat, 24 Sep 2022 22:23:42 +0200
Subject: [PATCH 2/2] build: harden github-pages.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/github-pages.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/github-pages.yml b/.github/workflows/github-pages.yml
index a7850833a3..dc3409900e 100644
--- a/.github/workflows/github-pages.yml
+++ b/.github/workflows/github-pages.yml
@@ -4,8 +4,12 @@ on:
     tags:
       - '*'
 
+permissions: {}
 jobs:
   github-pages:
+    permissions:
+      contents: write # to push pages branch (peaceiris/actions-gh-pages)
+
     runs-on: ubuntu-latest
     steps:
       - name: Checkout