From 38f0524e88168b5ef0d175207fd938eb2251ea4b Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sun, 25 Sep 2022 18:00:28 +0200
Subject: [PATCH 1/3] build: harden ci.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 082e0d247c..33ec3d6602 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   inspect-code:
     name: Code Quality

From 90dd3c3020c5df90fb48980a4fb9de03dd3b9d52 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sun, 25 Sep 2022 18:03:13 +0200
Subject: [PATCH 2/3] build: harden report-nunit.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/report-nunit.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/report-nunit.yml b/.github/workflows/report-nunit.yml
index 358cbda17a..bfc9620174 100644
--- a/.github/workflows/report-nunit.yml
+++ b/.github/workflows/report-nunit.yml
@@ -8,8 +8,12 @@ on:
     workflows: ["Continuous Integration"]
     types:
       - completed
+permissions: {}
 jobs:
   annotate:
+    permissions:
+      checks: write # to create checks (dorny/test-reporter)
+
     name: Annotate CI run with test results
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion != 'cancelled' }}

From 68f62ca9cd653f0e9175be716ebd2ac492c3b6f7 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sun, 25 Sep 2022 18:04:27 +0200
Subject: [PATCH 3/3] build: harden sentry-release.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/sentry-release.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/sentry-release.yml b/.github/workflows/sentry-release.yml
index 442b97c473..cce3f23e5f 100644
--- a/.github/workflows/sentry-release.yml
+++ b/.github/workflows/sentry-release.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - '*'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   sentry_release:
     runs-on: ubuntu-latest