From 50e29cf7877185ad706ba68372c8ac805fe9fdd5 Mon Sep 17 00:00:00 2001
From: Kevin Stillhammer <kevin.stillhammer@gmail.com>
Date: Tue, 18 Mar 2025 15:17:44 +0100
Subject: [PATCH] Set required workflow permissions

---
 .github/workflows/release-drafter.yml         | 3 +++
 .github/workflows/test-cache-windows.yml      | 3 +++
 .github/workflows/test-cache.yml              | 3 +++
 .github/workflows/test-windows.yml            | 3 +++
 .github/workflows/test.yml                    | 3 +++
 .github/workflows/update-known-checksums.yml  | 3 +++
 .github/workflows/update-major-minor-tags.yml | 2 ++
 7 files changed, 20 insertions(+)

diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index ab82d28..7c34a87 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -12,6 +12,9 @@ jobs:
   update_release_draft:
     name: ✏️ Draft release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: read
     steps:
       - name: 🚀 Run Release Drafter
         uses: release-drafter/release-drafter@v6.1.0
diff --git a/.github/workflows/test-cache-windows.yml b/.github/workflows/test-cache-windows.yml
index a7a7398..918756c 100644
--- a/.github/workflows/test-cache-windows.yml
+++ b/.github/workflows/test-cache-windows.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test-setup-cache:
     runs-on: windows-latest
diff --git a/.github/workflows/test-cache.yml b/.github/workflows/test-cache.yml
index eecb94b..53f7465 100644
--- a/.github/workflows/test-cache.yml
+++ b/.github/workflows/test-cache.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test-setup-cache:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/test-windows.yml b/.github/workflows/test-windows.yml
index df74d21..cb8565c 100644
--- a/.github/workflows/test-windows.yml
+++ b/.github/workflows/test-windows.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test-default-version:
     runs-on: windows-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index b38cfa5..30cf80c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-known-checksums.yml b/.github/workflows/update-known-checksums.yml
index 94d5de3..c96d30c 100644
--- a/.github/workflows/update-known-checksums.yml
+++ b/.github/workflows/update-known-checksums.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
diff --git a/.github/workflows/update-major-minor-tags.yml b/.github/workflows/update-major-minor-tags.yml
index 35c4c27..2855853 100644
--- a/.github/workflows/update-major-minor-tags.yml
+++ b/.github/workflows/update-major-minor-tags.yml
@@ -12,6 +12,8 @@ jobs:
   update_major_minor_tags:
     name: Make sure major and minor tags are up to date on a patch release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v4
       - name: Update Major Minor Tags