From 6db87687e2c6b387fdad8ea1e1e3c016456f788f Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sun, 25 Sep 2022 16:54:48 +0200
Subject: [PATCH 1/2] build: harden deploy.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/deploy.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 082a28fc791..58653e4d88f 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: '0 7 * * *'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   deploy_docs:
     runs-on: ubuntu-20.04

From 77f3d664942529d3e4a33d19d9d71a042c2379c0 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sun, 25 Sep 2022 16:56:53 +0200
Subject: [PATCH 2/2] build: harden push_pull.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/push_pull.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/push_pull.yml b/.github/workflows/push_pull.yml
index 1de0439032d..fec06489853 100644
--- a/.github/workflows/push_pull.yml
+++ b/.github/workflows/push_pull.yml
@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: '0 3 * * *'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   regular_check:
     runs-on: macos-latest
@@ -24,6 +27,10 @@ jobs:
           ubsan: false
 
   sanitizer_check:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      issues: write # to create an issue
+
     runs-on: macos-latest
     if: (github.event_name == 'schedule' && github.repository == 'espressomd/espresso')
     steps: