From 7ef550afca1d1c0891c12155702898ebfe434872 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Tue, 20 Sep 2022 21:41:21 +0200
Subject: [PATCH] GitHub Workflows security hardening (#5365)

* build: harden pypi_upload.yml permissions
Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden ci.yaml permissions
Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/ci.yaml         | 2 ++
 .github/workflows/pypi_upload.yml | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 9ae0150f..e115ae6c 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -32,6 +32,8 @@ on:
       - ".gitmodules"
       - ".gitattributes"
       - ".editorconfig"
+permissions:
+  contents: read # to fetch code (actions/checkout)
 jobs:
   lint:
     name: Check code linting
diff --git a/.github/workflows/pypi_upload.yml b/.github/workflows/pypi_upload.yml
index c5ee31c5..d59e3695 100644
--- a/.github/workflows/pypi_upload.yml
+++ b/.github/workflows/pypi_upload.yml
@@ -6,8 +6,12 @@ on:
     tags:
       - v[0-9]+.[0-9]+.*  # add .* to allow dev releases
 
+permissions: {}
 jobs:
   deploy:
+    permissions:
+      contents: write # to create a release (actions/create-release)
+
     name: pipenv PyPI Upload
     runs-on: ubuntu-latest
     env: