From 90097717766800fd896a333a87bf9280d3ff57b6 Mon Sep 17 00:00:00 2001
From: Philipp Wolfer <ph.wolfer@gmail.com>
Date: Wed, 6 Sep 2023 15:41:02 +0200
Subject: [PATCH] Restrict default permissions of Github Actions

---
 .github/workflows/codacy-analysis.yml | 5 +++++
 .github/workflows/codeql-analysis.yml | 5 +++++
 .github/workflows/package.yml         | 4 ++++
 .github/workflows/pypi-release.yml    | 1 +
 .github/workflows/run-tests.yml       | 1 +
 5 files changed, 16 insertions(+)

diff --git a/.github/workflows/codacy-analysis.yml b/.github/workflows/codacy-analysis.yml
index b388e8c91..ed6c88527 100644
--- a/.github/workflows/codacy-analysis.yml
+++ b/.github/workflows/codacy-analysis.yml
@@ -17,6 +17,11 @@ on:
   schedule:
     - cron: '32 4 * * 0'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   codacy-security-scan:
     name: Codacy Security Scan
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index acde4702b..bcb9b11e4 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,6 +14,11 @@ on:
   schedule:
     - cron: '0 14 * * 6'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index cf03a984f..6cf17228d 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -22,6 +22,8 @@ on:
     - 'win.version-info.txt.in'
   pull_request:
 
+permissions: {}
+
 jobs:
   package-macos:
     runs-on: macos-11
@@ -240,6 +242,8 @@ jobs:
       - package-macos
       - package-windows
       - package-pypi
+    permissions:
+      contents: write
     steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-python@v4
diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
index 5f3b1e1a1..35bebda80 100644
--- a/.github/workflows/pypi-release.yml
+++ b/.github/workflows/pypi-release.yml
@@ -2,6 +2,7 @@ name: Package for PyPI
 
 on: [workflow_call]
 
+permissions: {}
 defaults:
   run:
     shell: bash
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
index 285a139d9..015c88943 100644
--- a/.github/workflows/run-tests.yml
+++ b/.github/workflows/run-tests.yml
@@ -1,6 +1,7 @@
 name: Run tests
 
 on: [push, pull_request]
+permissions: {}
 
 jobs:
   test-latest: