From 169b6459df7a4eb0c44c684e663bf83d7138446e Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Fri, 30 Jun 2023 02:37:26 +0000
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/add-to-project.yml | 3 +++
 .github/workflows/build.yml          | 3 +++
 .github/workflows/codeql.yml         | 3 +++
 .github/workflows/release-github.yml | 5 +++++
 4 files changed, 14 insertions(+)

diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
index 8c42bdc86..0522bdad5 100644
--- a/.github/workflows/add-to-project.yml
+++ b/.github/workflows/add-to-project.yml
@@ -3,6 +3,9 @@ on:
     types:
       - opened
 
+permissions:
+  contents: read
+
 jobs:
   add-to-project:
     name: Add issue to project
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fa46b3ef4..e27fd3946 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -4,6 +4,9 @@ on:
   push:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 424ce4de2..200e8825a 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: '38 21 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml
index 96a5ac22c..79af44799 100644
--- a/.github/workflows/release-github.yml
+++ b/.github/workflows/release-github.yml
@@ -5,8 +5,13 @@ on:
     tags:
       - v*
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: write  # for goreleaser/goreleaser-action to create a GitHub release
     name: Release Notation Binaries
     runs-on: ubuntu-20.04
     strategy: