From f28e18e67673eccf58af78f67e283a24a2edf4da Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sun, 25 Sep 2022 14:42:01 +0200
Subject: [PATCH] GitHub Workflows security hardening (#4761)

* build: harden integration_tests.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden image_builds.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

Signed-off-by: Alex <aleksandrosansan@gmail.com>
Co-authored-by: Niklas Meyer <62480600+DerLinkman@users.noreply.github.com>
---
 .github/workflows/image_builds.yml      | 3 +++
 .github/workflows/integration_tests.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/image_builds.yml b/.github/workflows/image_builds.yml
index 007b1014..fe660754 100644
--- a/.github/workflows/image_builds.yml
+++ b/.github/workflows/image_builds.yml
@@ -5,6 +5,9 @@ on:
     branches: [ "master", "staging" ]
   workflow_dispatch:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   docker_image_builds:
     strategy:
diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml
index 7d6c4ac2..ee083bf4 100644
--- a/.github/workflows/integration_tests.yml
+++ b/.github/workflows/integration_tests.yml
@@ -5,6 +5,9 @@ on:
     branches: [ "master", "staging" ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   integration_tests:
     runs-on: ubuntu-latest