From b1026e3450d7509407fc7812e07217cc3d0f22b7 Mon Sep 17 00:00:00 2001
From: Diogo Teles Sant'Anna <diogoteles@google.com>
Date: Mon, 28 Aug 2023 14:59:47 -0300
Subject: [PATCH] CI: set minimal permissions for GitHub Workflows (#218)

---
 .github/workflows/CI.yml       | 3 +++
 .github/workflows/codeql.yml   | 3 +++
 .github/workflows/publish.yaml | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 305f5c0..f736bc8 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -2,6 +2,9 @@ name: CI
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   ci:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index d908534..d79a85e 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: '0 19 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
 
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 9a88554..0fea9f3 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -4,6 +4,9 @@ on:
   release:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   publish-npm:
     runs-on: ubuntu-latest