From 5a48b79430161bd9c79aba82ca77ebfd3484a3f9 Mon Sep 17 00:00:00 2001
From: Gladwin Johnson <90415114+gladjohn@users.noreply.github.com>
Date: Fri, 23 Feb 2024 12:44:40 -0800
Subject: [PATCH] [Code Scan] Refine GitHub Actions Workflow Permissions for
 Enhanced Security (#4647)

* Update trigger_onebranch_ci.yml

* Update benchmark-action.yml
---
 .github/workflows/benchmark-action.yml     | 6 +++---
 .github/workflows/trigger_onebranch_ci.yml | 3 +++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/benchmark-action.yml b/.github/workflows/benchmark-action.yml
index dbf4f50047..c94e05e3ee 100644
--- a/.github/workflows/benchmark-action.yml
+++ b/.github/workflows/benchmark-action.yml
@@ -8,13 +8,13 @@ on:
       - src/client/Microsoft.Identity.Client/**/*.cs
 
 permissions:
-  # Deployments permission to deploy GitHub pages website
-  deployments: write
   # Contents permission to update benchmark contents in gh-pages branch
-  contents: write
+  contents: read
 
 jobs:
   benchmark:
+    permissions:
+      contents: write  # Elevate permissions specifically for this job
     name: Run performance benchmarks
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/trigger_onebranch_ci.yml b/.github/workflows/trigger_onebranch_ci.yml
index ca95a4577d..bf2da43377 100644
--- a/.github/workflows/trigger_onebranch_ci.yml
+++ b/.github/workflows/trigger_onebranch_ci.yml
@@ -7,6 +7,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
     build:
         name: Call OneBranch ADO Pipeline (CI)