From 4becd1901f6ddb8a0643bde24f261735a638ce53 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Wed, 28 Sep 2022 05:36:47 +0300
Subject: [PATCH] ci: GitHub workflows security hardening (#6743)

---
 .github/workflows/ci.yml          | 4 ++++
 .github/workflows/release-tag.yml | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index eadcd94f6d8..3128dd2cb4f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,10 @@ on:
   pull_request:
     branches:
       - main
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   unit-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
index d9ea7a07f72..16c6c9c5c10 100644
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -5,8 +5,12 @@ on:
 
 name: Create Release
 
+permissions: {}
 jobs:
   build:
+    permissions:
+      contents: write # to create release (yyx990803/release-tag)
+
     name: Create Release
     runs-on: ubuntu-latest
     steps: