From 45b77c68195eb933231290a09e9f6a0cca56aad8 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Fri, 4 Nov 2022 02:42:22 +0200
Subject: [PATCH] GitHub Workflows security hardening (#2923)

---
 .github/workflows/bench.yml         | 3 +++
 .github/workflows/ci-post-merge.yml | 3 +++
 .github/workflows/ci.yml            | 3 +++
 .github/workflows/upload-doc.yml    | 4 ++++
 4 files changed, 13 insertions(+)

diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml
index a4b54ca7a..008c33f89 100644
--- a/.github/workflows/bench.yml
+++ b/.github/workflows/bench.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   check_benchmark:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci-post-merge.yml b/.github/workflows/ci-post-merge.yml
index 1ee97b591..6d76301d8 100644
--- a/.github/workflows/ci-post-merge.yml
+++ b/.github/workflows/ci-post-merge.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [master]
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build_and_test_nightly:
     strategy:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index de1e1fe18..07e21ef43 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   push:
     branches: [master]
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build_and_test:
     strategy:
diff --git a/.github/workflows/upload-doc.yml b/.github/workflows/upload-doc.yml
index c47ea1d70..ac181b3f9 100644
--- a/.github/workflows/upload-doc.yml
+++ b/.github/workflows/upload-doc.yml
@@ -4,8 +4,12 @@ on:
   push:
     branches: [master]
 
+permissions: {}
 jobs:
   build:
+    permissions:
+      contents: write  #  to push changes in repo (jamesives/github-pages-deploy-action)
+
     runs-on: ubuntu-latest
 
     steps: