GitHub Workflows security hardening (#1451)

sashashura · web-flow · commit 36916f07596f · 2022-10-10T09:59:47.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,6 +11,9 @@ env:
   GIT_BRANCH: ${{ github.ref }}
   COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }}
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   linting:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -4,6 +4,8 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read  # to checkout the code (actions/checkout)
 jobs:
   build:
     name: Publish to Rubygems
diff --git a/.github/workflows/refresh_team_page.yml b/.github/workflows/refresh_team_page.yml
@@ -4,6 +4,7 @@ on:
   push:
     branches: [ main ]
 
+permissions: {}
 jobs:
   build:
     name: Refresh Contributors Stats
