From 174429f34538b342d3e55048206b20ff18a82d0d Mon Sep 17 00:00:00 2001
From: Trask Stalnaker <trask.stalnaker@gmail.com>
Date: Mon, 12 May 2025 14:23:24 -0700
Subject: [PATCH] Restrict github token permissions

---
 .github/workflows/ci.yml             | 3 +++
 .github/workflows/ossf-scorecard.yml | 3 ++-
 .github/workflows/test.yml           | 3 +++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 936da1c..25d988e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
index 202e5df..64b918a 100644
--- a/.github/workflows/ossf-scorecard.yml
+++ b/.github/workflows/ossf-scorecard.yml
@@ -8,7 +8,8 @@ on:
     - cron: "39 12 * * 2" # once a week
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 1c57de4..b2a408c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     timeout-minutes: 60