From 1eaba96ae461dc28897ce70f3f8d9bc196db64c6 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sat, 24 Sep 2022 21:41:16 +0200
Subject: [PATCH 1/2] build: harden release-tag.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/release-tag.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
index d9ea7a07f72..16c6c9c5c10 100644
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -5,8 +5,12 @@ on:
 
 name: Create Release
 
+permissions: {}
 jobs:
   build:
+    permissions:
+      contents: write # to create release (yyx990803/release-tag)
+
     name: Create Release
     runs-on: ubuntu-latest
     steps:

From e2b2d180c35040565408be4654596661b5f3006c Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sat, 24 Sep 2022 21:42:22 +0200
Subject: [PATCH 2/2] build: harden ci.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/ci.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index eadcd94f6d8..3128dd2cb4f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,10 @@ on:
   pull_request:
     branches:
       - main
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   unit-test:
     runs-on: ubuntu-latest