From 1cc44abe24f1d34ab8d47493f577b513cad26e78 Mon Sep 17 00:00:00 2001
From: Anton Volkov <antonwolfy@gmail.com>
Date: Sat, 3 Feb 2024 15:43:52 +0100
Subject: [PATCH 1/3] Specify permissions in GH Action workflows

---
 .github/workflows/build-sphinx.yml       | 2 ++
 .github/workflows/conda-package.yml      | 2 ++
 .github/workflows/generate_coverage.yaml | 2 ++
 .github/workflows/pre-commit.yml         | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/.github/workflows/build-sphinx.yml b/.github/workflows/build-sphinx.yml
index 6246ee13e12..5f64c743143 100644
--- a/.github/workflows/build-sphinx.yml
+++ b/.github/workflows/build-sphinx.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, closed]
 
+permissions: read-all
+
 env:
   GH_BOT_NAME: 'github-actions[bot]'
   GH_BOT_EMAIL: 'github-actions[bot]@users.noreply.github.com'
diff --git a/.github/workflows/conda-package.yml b/.github/workflows/conda-package.yml
index d9072c26a65..fe5cc0d9ac7 100644
--- a/.github/workflows/conda-package.yml
+++ b/.github/workflows/conda-package.yml
@@ -6,6 +6,8 @@ on:
       - master
   pull_request:
 
+permissions: read-all
+
 env:
   PACKAGE_NAME: dpnp
   MODULE_NAME: dpnp
diff --git a/.github/workflows/generate_coverage.yaml b/.github/workflows/generate_coverage.yaml
index e7479d445ea..dc603b2b9ff 100644
--- a/.github/workflows/generate_coverage.yaml
+++ b/.github/workflows/generate_coverage.yaml
@@ -4,6 +4,8 @@ on:
   push:
     branches: [master]
 
+permissions: read-all
+
 jobs:
   generate-coverage:
     name: Generate coverage and push to Coveralls.io
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index dd5047f22b1..aa17c7696df 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -5,6 +5,8 @@ on:
   push:
     branches: [master]
 
+permissions: read-all
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest

From 3192ea6b389f2ab5b0728a57c7104df1b1de7280 Mon Sep 17 00:00:00 2001
From: Anton Volkov <antonwolfy@gmail.com>
Date: Sat, 3 Feb 2024 16:34:57 +0100
Subject: [PATCH 2/3] Added contents permissions write to deploy your static
 files to GitHub Pages

---
 .github/workflows/build-sphinx.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/build-sphinx.yml b/.github/workflows/build-sphinx.yml
index 5f64c743143..9ba29f434d2 100644
--- a/.github/workflows/build-sphinx.yml
+++ b/.github/workflows/build-sphinx.yml
@@ -27,6 +27,10 @@ jobs:
 
     runs-on: ubuntu-20.04
 
+    permissions:
+      # Needed to deploy your static files to GitHub Pages
+      contents: write
+
     env:
       python-ver: '3.9'
       CHANNELS: '-c dppy/label/dev -c intel -c conda-forge --override-channels'

From 29686646ea62d49e765c0b2200304669c1ceff11 Mon Sep 17 00:00:00 2001
From: Anton Volkov <antonwolfy@gmail.com>
Date: Sat, 3 Feb 2024 16:47:17 +0100
Subject: [PATCH 3/3] Added permissions required by actions

---
 .github/workflows/build-sphinx.yml       | 6 +++++-
 .github/workflows/conda-package.yml      | 4 ++++
 .github/workflows/generate_coverage.yaml | 4 ++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-sphinx.yml b/.github/workflows/build-sphinx.yml
index 9ba29f434d2..a547efec727 100644
--- a/.github/workflows/build-sphinx.yml
+++ b/.github/workflows/build-sphinx.yml
@@ -28,8 +28,12 @@ jobs:
     runs-on: ubuntu-20.04
 
     permissions:
-      # Needed to deploy your static files to GitHub Pages
+      # Needed to cancel any previous runs that are not completed for a given workflow
+      actions: write
+      # Needed to deploy static files to GitHub Pages
       contents: write
+      # Needed to add a comment to a pull request's issue
+      pull-requests: write
 
     env:
       python-ver: '3.9'
diff --git a/.github/workflows/conda-package.yml b/.github/workflows/conda-package.yml
index fe5cc0d9ac7..ddbd9191287 100644
--- a/.github/workflows/conda-package.yml
+++ b/.github/workflows/conda-package.yml
@@ -60,6 +60,10 @@ jobs:
         python: ['3.9', '3.10', '3.11']
         os: [ubuntu-20.04, windows-latest]
 
+    permissions:
+      # Needed to cancel any previous runs that are not completed for a given workflow
+      actions: write
+
     runs-on: ${{ matrix.os }}
 
     defaults:
diff --git a/.github/workflows/generate_coverage.yaml b/.github/workflows/generate_coverage.yaml
index dc603b2b9ff..b5b0e4a40b9 100644
--- a/.github/workflows/generate_coverage.yaml
+++ b/.github/workflows/generate_coverage.yaml
@@ -11,6 +11,10 @@ jobs:
     name: Generate coverage and push to Coveralls.io
     runs-on: ubuntu-20.04
 
+    permissions:
+      # Needed to cancel any previous runs that are not completed for a given workflow
+      actions: write
+
     defaults:
       run:
         shell: bash -l {0}