From b1537c801d13e56701ee454faa5d0342d94e71d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Svensson?= <bjorn.a.svensson@est.tech>
Date: Fri, 5 Apr 2024 11:14:25 +0200
Subject: [PATCH] Set read-only permission for Github Actions in CI

This sets the default permission for CI workflows to only be able to
read from the repository (scope: "contents").

A compromised action will not be able to modify the repo or even
steal secrets since all other permission-scopes are implicit set to "none",
i.e. not permitted.
More about permissions and scope can be found here:
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
---
 .github/workflows/ci.yml                  | 3 +++
 .github/workflows/redis-compatibility.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cda92b5..1904f50 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   fmt:
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/redis-compatibility.yml b/.github/workflows/redis-compatibility.yml
index c19afcf..99c4050 100644
--- a/.github/workflows/redis-compatibility.yml
+++ b/.github/workflows/redis-compatibility.yml
@@ -2,6 +2,9 @@ name: Redis compatibility testing
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   redis:
     name: Redis ${{ matrix.redis-version }}