From 05f1368902b386e5979e7fe163dd95f05fef0c01 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Sun, 2 Mar 2025 16:18:40 +0100
Subject: [PATCH] ci: set contents read as default workflow permissions

---
 .github/workflows/ci.yml                | 4 ++++
 .github/workflows/labels.yml            | 9 +++++++++
 .github/workflows/test.yml              | 4 ++++
 .github/workflows/upx-releases-json.yml | 8 ++++++++
 .github/workflows/validate.yml          | 4 ++++
 5 files changed, 29 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b9d5b29..708cc2b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: '0 10 * * *'
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index 1342d9e..c0900a8 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -19,6 +23,11 @@ on:
 jobs:
   labeler:
     runs-on: ubuntu-latest
+    permissions:
+      # same as global permissions
+      contents: read
+      # required to update labels
+      issues: write
     steps:
       -
         name: Checkout
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f791fc3..c8be036 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/upx-releases-json.yml b/.github/workflows/upx-releases-json.yml
index 57d224f..2a1bb9b 100644
--- a/.github/workflows/upx-releases-json.yml
+++ b/.github/workflows/upx-releases-json.yml
@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   schedule:
@@ -27,6 +31,10 @@ jobs:
   open-pr:
     runs-on: ubuntu-22.04
     if: github.event_name != 'pull_request'
+    permissions:
+      # required to create PR
+      contents: write
+      pull-requests: write
     needs:
       - generate
     steps:
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index a28f09c..1a6a7ca 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches: