From 9813b904da763b15e047b73be4f062b72b596e21 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Fri, 4 Nov 2022 00:30:07 +0200
Subject: [PATCH 1/4] build: harden validate.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/validate.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index c5c75b4e253..ff998094eed 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -5,6 +5,9 @@ on:
     tags: ['v*']
   workflow_dispatch:
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   release:
     runs-on: ubuntu-latest

From 06db87692008f07772170f34ebb71430fd475c32 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Fri, 4 Nov 2022 00:30:21 +0200
Subject: [PATCH 2/4] build: harden release.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/release.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bdf8832b1ae..3da2366441d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,8 +4,12 @@ on:
   push:
     tags: ['v*']
 
+permissions: {}
 jobs:
   release:
+    permissions:
+      contents: write  #  to create a release (actions/create-release)
+
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code

From 951a01f41cd0578f1137e0798617c3be1ee14e8c Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Fri, 4 Nov 2022 00:30:48 +0200
Subject: [PATCH 3/4] build: harden e2e.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/e2e.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index edc8515c6cc..db36a7a001b 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: '0 */6 * * *'
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   validate:
     runs-on: ubuntu-latest

From 9102dfda05d15cf643bc5988db8894667608c39e Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Fri, 4 Nov 2022 00:31:35 +0200
Subject: [PATCH 4/4] build: harden ci.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 145873d4f21..6d019ba2867 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: ['*']
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   esbuild-slow:
     # Split these out into their own runner because they're very slow