From 32edae48f8980d6cee6c91472f63921930a5c72f Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Fri, 29 Dec 2023 18:42:46 +0000
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/codeql-analysis.yml   | 3 +++
 .github/workflows/coverage.yml          | 3 +++
 .github/workflows/validate-pr-title.yml | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 6208db41a..34f1180a3 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: '30 18 * * 2'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index dc7a46060..fe12e66a3 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -1,5 +1,8 @@
 name: Quality
 on: [push, pull_request]
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test with Coverage
diff --git a/.github/workflows/validate-pr-title.yml b/.github/workflows/validate-pr-title.yml
index 897527bc9..8bebb9111 100644
--- a/.github/workflows/validate-pr-title.yml
+++ b/.github/workflows/validate-pr-title.yml
@@ -6,6 +6,9 @@ on:
       - opened
       - edited
       - synchronize
+permissions:
+  contents: read
+
 jobs:
   validate:
     name: Validate PR title