From d9d7e38d60ba578e04d6cce8b455cad0b258c44d Mon Sep 17 00:00:00 2001
From: Matt Boersma <Matt.Boersma@microsoft.com>
Date: Tue, 23 Jan 2024 13:27:06 -0700
Subject: [PATCH] Set specific token permissions in GH actions

---
 .github/workflows/dependabot-code-gen.yml |  7 ++++---
 .github/workflows/release.yaml            | 13 +++++++++----
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/dependabot-code-gen.yml b/.github/workflows/dependabot-code-gen.yml
index 44d96b11a15..7fb0c20ebea 100644
--- a/.github/workflows/dependabot-code-gen.yml
+++ b/.github/workflows/dependabot-code-gen.yml
@@ -9,11 +9,13 @@ on:
       - dependabot/**
   workflow_dispatch:
 
-permissions:
-  contents: write # Allow to update the PR.
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
 
 jobs:
   build:
+    permissions:
+      contents: write  # for EndBug/add-and-commit
     name: Build
     runs-on: ubuntu-latest
     steps:
@@ -21,7 +23,6 @@ jobs:
       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
       with:
         egress-policy: audit
-
     - name: Set up Go 1.x
       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
       with:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 5ce72d74444..ddf6dc30249 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -7,11 +7,14 @@ on:
     paths:
       - 'CHANGELOG/*.md'
 
-permissions:
-  contents: write # Allow to push a tag, create a release branch and publish a draft release.
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
 
 jobs:
   push_release_tag:
+    permissions:
+      pull-requests: read  # for tj-actions/changed-files
+      contents: write  # for "Create Release Tag" step
     runs-on: ubuntu-latest
     outputs:
       release_tag: ${{ steps.release-version.outputs.release_version }}
@@ -20,7 +23,7 @@ jobs:
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
-      - name: Checkout code 
+      - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
         with:
           fetch-depth: 0
@@ -80,6 +83,8 @@ jobs:
           git push origin ${RELEASE_VERSION}
           echo "Created tag $RELEASE_VERSION"
   release:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: create draft release
     runs-on: ubuntu-latest
     needs: push_release_tag
@@ -116,4 +121,4 @@ jobs:
           draft: true
           files: out/*
           body_path: ${{ env.RELEASE_TAG }}.md
-          tag_name: ${{ env.RELEASE_TAG }}
\ No newline at end of file
+          tag_name: ${{ env.RELEASE_TAG }}