From 32c181e0aa17ad9d4b11cd3647696274069b97c5 Mon Sep 17 00:00:00 2001
From: Paul Wankadia <junyer@google.com>
Date: Mon, 15 Jan 2024 17:49:31 +0000
Subject: [PATCH] Try to lock down workflow permissions.

Note that testing will occur only after this commit lands...

Change-Id: Ib7ef2a73e743cb48774e96f86321c2fcc058f0b4
Reviewed-on: https://code-review.googlesource.com/c/re2/+/62350
Reviewed-by: Alex Chernyakhovsky <achernya@google.com>
Reviewed-by: Paul Wankadia <junyer@google.com>
---
 .github/workflows/ci-bazel.yml | 2 ++
 .github/workflows/ci-cmake.yml | 2 ++
 .github/workflows/ci.yml       | 2 ++
 .github/workflows/pr.yml       | 8 ++++++++
 .github/workflows/python.yml   | 2 ++
 5 files changed, 16 insertions(+)

diff --git a/.github/workflows/ci-bazel.yml b/.github/workflows/ci-bazel.yml
index 013b52ca4..d203d2d42 100644
--- a/.github/workflows/ci-bazel.yml
+++ b/.github/workflows/ci-bazel.yml
@@ -2,6 +2,8 @@ name: CI (Bazel)
 on:
   push:
     branches: [main]
+permissions:
+  contents: read
 jobs:
   build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/ci-cmake.yml b/.github/workflows/ci-cmake.yml
index d2d03afab..2287779ff 100644
--- a/.github/workflows/ci-cmake.yml
+++ b/.github/workflows/ci-cmake.yml
@@ -2,6 +2,8 @@ name: CI (CMake)
 on:
   push:
     branches: [main]
+permissions:
+  contents: read
 jobs:
   build-linux:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 44ac9dc29..41a892d35 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,6 +2,8 @@ name: CI
 on:
   push:
     branches: [main]
+permissions:
+  contents: read
 jobs:
   build-appleclang:
     runs-on: macos-latest
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 860da6236..e3f94fa06 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -3,8 +3,16 @@ on:
   pull_request_target:
     branches: [main]
     types: [opened]
+permissions:
+  contents: read
 jobs:
   close:
+    permissions:
+      contents: read
+      # We have to use two different APIs below,
+      # so just grant two different permissions.
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
index 2680db24c..0767cc5a8 100644
--- a/.github/workflows/python.yml
+++ b/.github/workflows/python.yml
@@ -5,6 +5,8 @@ on:
       build:
         required: true
         type: number
+permissions:
+  contents: read
 jobs:
   wheel-linux:
     name: Linux ${{ matrix.os }}, ${{ matrix.arch.name }}, Python ${{ matrix.ver }}