From 75ec670aa6e52d7f7914e0e6fdd8da4c650fef72 Mon Sep 17 00:00:00 2001
From: Michal Zielenkiewicz <michal@oasisprotocol.org>
Date: Mon, 6 Mar 2023 17:33:36 +0100
Subject: [PATCH] Ensure top-level permissions are not set to write-all

---
 .github/workflows/build-test.yaml     | 2 ++
 .github/workflows/dump-validators.yml | 4 ++++
 .github/workflows/mega-linter.yml     | 4 ++++
 3 files changed, 10 insertions(+)

diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
index 701beb2239..48703929eb 100644
--- a/.github/workflows/build-test.yaml
+++ b/.github/workflows/build-test.yaml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: [stable, master]
 
+permissions: {} # disable secrets.GITHUB_TOKEN permissions
+
 jobs:
   yarn_cache:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/dump-validators.yml b/.github/workflows/dump-validators.yml
index a87d4f832a..cf3a9e5c91 100644
--- a/.github/workflows/dump-validators.yml
+++ b/.github/workflows/dump-validators.yml
@@ -6,6 +6,10 @@ on:
   schedule:
     - cron: '0 0 1 * *'
 
+permissions: # Limit secrets.GITHUB_TOKEN permissions
+  contents: write
+  pull-requests: write
+
 jobs:
   dump-validators:
     if: github.repository == 'oasisprotocol/oasis-wallet-web'
diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
index 0f8f6a59aa..0c726c8404 100644
--- a/.github/workflows/mega-linter.yml
+++ b/.github/workflows/mega-linter.yml
@@ -9,6 +9,10 @@ on:
   pull_request:
     branches: [stable, master]
 
+permissions: # Limit secrets.GITHUB_TOKEN permissions
+  contents: write
+  pull-requests: write
+
 env: # Comment env block if you do not want to apply fixes
   # Apply linter fixes configuration
   APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool)