From f6a75f975c6251566284c23045d12fd63cf56522 Mon Sep 17 00:00:00 2001
From: Stephen Morgan <stephen@doublethink.co.nz>
Date: Tue, 8 Apr 2025 16:57:19 +1200
Subject: [PATCH] ci: explicit permissions for actions

---
 .github/workflows/ci.yml           | 6 ++++++
 .github/workflows/docs.yml         | 3 +++
 .github/workflows/mirror.yml       | 3 +++
 .github/workflows/publish-deps.yml | 5 +++++
 .github/workflows/release.yml      | 3 +++
 5 files changed, 20 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f96e9955..ac0d7539 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
       - master
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 # Cancel old builds on new commit for same workflow + branch/PR
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -57,6 +60,9 @@ jobs:
   docker:
     name: Build with docker
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
     steps:
       - uses: actions/checkout@v4
         name: Checkout Repo
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 813eea21..d3645502 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -6,6 +6,9 @@ on:
       - master
   workflow_dispatch:
 
+permissions:
+  contents: write
+  pages: write
 
 # Cancel old builds on new commit for same workflow + branch/PR
 concurrency:
diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml
index 7860c0b8..5c56a23b 100644
--- a/.github/workflows/mirror.yml
+++ b/.github/workflows/mirror.yml
@@ -8,6 +8,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   mirror:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-deps.yml b/.github/workflows/publish-deps.yml
index d40966e6..7e50ecf5 100644
--- a/.github/workflows/publish-deps.yml
+++ b/.github/workflows/publish-deps.yml
@@ -3,6 +3,11 @@ name: Publish Dependencies
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+
 jobs:
   publish:
     # Must match glibc verison in node:20
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 63ebf089..91ad34b9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,9 @@ on:
       - master
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   semantic-release:
     name: Release