From e93d92a2c530ad8b9ade879c24caf9df94e39388 Mon Sep 17 00:00:00 2001
From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Date: Mon, 28 Oct 2024 17:09:15 -0400
Subject: [PATCH] Restrict permissions of GITHUB_TOKEN

This changes the default permissions for the GITHUB_TOKEN used in our
GitHub Actions configuration to the minimum required to successfully
run.
---
 .github/workflows/build.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e7a60b2..82993bf 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -30,6 +30,7 @@ env:
 jobs:
   diagnostics:
     name: Run diagnostics
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       # Note that a duplicate of this step must be added at the top of
@@ -48,6 +49,8 @@ jobs:
   lint:
     needs:
       - diagnostics
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - id: harden-runner