From 553eb4c7a8c5b80448afb12d1ccdb355d7b47b86 Mon Sep 17 00:00:00 2001
From: Diogo Teles Sant'Anna <diogoteles@google.com>
Date: Mon, 19 Jun 2023 05:53:04 -0300
Subject: [PATCH] ci: define minimal permissions to github workflows (#1295)

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
---
 .github/workflows/codeql-analysis.yml | 4 ++++
 .github/workflows/go.yml              | 6 +++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 45cf724..5ad71d1 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,6 +20,10 @@ on:
   schedule:
     - cron: '31 21 * * 6'
 
+# Minimal permissions to be inherited by any job that don't declare it's own permissions
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 20b61d4..5f8d7c4 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -7,6 +7,10 @@ on:
       - main
       - 'release-*'
 
+# Minimal permissions to be inherited by any job that don't declare it's own permissions
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Tests
@@ -39,4 +43,4 @@ jobs:
 
       - name: Run style and unused
         if: ${{ matrix.go_version == '1.20' }}
-        run: make style unused
\ No newline at end of file
+        run: make style unused