From 5f760025004bdb02f9844011033459c30347f215 Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Thu, 4 Aug 2022 20:00:35 +0200
Subject: [PATCH] Restricted permissions for GitHub tokens.

---
 .github/workflows/docs.yml               | 3 +++
 .github/workflows/linters.yml            | 3 +++
 .github/workflows/new_contributor_pr.yml | 4 ++++
 .github/workflows/schedule_tests.yml     | 3 +++
 .github/workflows/schedules.yml          | 4 ++++
 .github/workflows/tests.yml              | 3 +++
 6 files changed, 20 insertions(+)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 5208699e38f7..9975a632bfd8 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   docs:
     # OS must be the same as on djangoproject.com.
diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
index e24733172e85..eaa11ced3c93 100644
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -14,6 +14,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   flake8:
     name: flake8
diff --git a/.github/workflows/new_contributor_pr.yml b/.github/workflows/new_contributor_pr.yml
index 3efc556ef47f..0848c0118714 100644
--- a/.github/workflows/new_contributor_pr.yml
+++ b/.github/workflows/new_contributor_pr.yml
@@ -4,6 +4,10 @@ on:
   pull_request_target:
     types: [opened]
 
+permissions:
+  issues: write
+  pull-requests: read
+
 jobs:
   build:
     name: Hello new contributor
diff --git a/.github/workflows/schedule_tests.yml b/.github/workflows/schedule_tests.yml
index 11c8ecce6e99..4677a3ed3210 100644
--- a/.github/workflows/schedule_tests.yml
+++ b/.github/workflows/schedule_tests.yml
@@ -7,6 +7,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   windows:
     runs-on: windows-latest
diff --git a/.github/workflows/schedules.yml b/.github/workflows/schedules.yml
index d58af423ffa9..bd9cced24000 100644
--- a/.github/workflows/schedules.yml
+++ b/.github/workflows/schedules.yml
@@ -5,6 +5,10 @@ on:
     - cron: '42 2 * * *'
   workflow_dispatch:
 
+permissions:
+  actions: write
+  contents: read
+
 jobs:
   trigger-runs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 696596015515..cfdc661560a1 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -14,6 +14,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   windows:
     runs-on: windows-latest