From 5fd9c86f77f099ef452e780a99d438356f9ed6eb Mon Sep 17 00:00:00 2001
From: Casper Meijn <casper@meijn.net>
Date: Wed, 20 Nov 2024 08:56:21 +0100
Subject: [PATCH] ci: Restrict permissions of `GITHUB_TOKEN` (#1189)

---
 .github/workflows/ci.yml     | 2 ++
 .github/workflows/cifuzz.yml | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1dd4a1912..72c8b6fe7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,8 @@ on:
   merge_group:
     branches: [ "master" ]
 
+permissions:
+  contents: read
 
 env:
   PROTOC_VERSION: '3.25.3'
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index 2960899d0..f3f912b53 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -1,5 +1,9 @@
 name: CIFuzz
 on: [pull_request]
+
+permissions:
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest