From 82d0546d162a5bbbf0f64ceb4da278899b52a6f0 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Fri, 4 Nov 2022 01:05:28 +0200
Subject: [PATCH] build: harden workflow permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/ci.yml            | 3 +++
 .github/workflows/documentation.yml | 3 +++
 .github/workflows/itch.yml          | 1 +
 .github/workflows/packaging.yml     | 3 +++
 4 files changed, 10 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c94c40256c..e96aba35f7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches: [ bleed ]
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   linux:
     name: Linux (.NET 6.0)
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index 8794f87405..3a65a6626b 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -8,6 +8,9 @@ on:
         required: true
         default: 'release-xxxxxxxx'
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   wiki:
     name: Update Wiki
diff --git a/.github/workflows/itch.yml b/.github/workflows/itch.yml
index e785284528..96a87f3106 100644
--- a/.github/workflows/itch.yml
+++ b/.github/workflows/itch.yml
@@ -8,6 +8,7 @@ on:
         required: true
         default: 'release-xxxxxxxx'
 
+permissions: {}
 jobs:
   itch:
     name: Deploy to itch.io
diff --git a/.github/workflows/packaging.yml b/.github/workflows/packaging.yml
index 53d11b7878..7d7236f079 100644
--- a/.github/workflows/packaging.yml
+++ b/.github/workflows/packaging.yml
@@ -7,6 +7,9 @@ on:
     - 'playtest-*'
     - 'devtest-*'
 
+permissions:
+  contents: write  #  for release creation (svenstaro/upload-release-action)
+
 jobs:
   source:
     name: Source Tarball