From eff182289f96ed69c804ba755e1f8fb5337d2a18 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Wed, 3 Jul 2024 10:37:07 +0000
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/cve-scanning.yml | 3 +++
 .github/workflows/package.yml      | 3 +++
 .github/workflows/semgrep.yml      | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/cve-scanning.yml b/.github/workflows/cve-scanning.yml
index 9c07dcaca..38ee73d96 100644
--- a/.github/workflows/cve-scanning.yml
+++ b/.github/workflows/cve-scanning.yml
@@ -18,6 +18,9 @@ on:
     # Run every day at 5am and 5pm
     - cron: '0 5,17 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index a540aa3de..d02f7ea5a 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -24,6 +24,9 @@ on:
       - '.github/workflows/docusaurus.yml'
       - 'docs/**'
       - 'website/**'
+permissions:
+  contents: read
+
 jobs:
   package-build:
     name: Build on Node ${{ matrix.node }} and ${{ matrix.os }}
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index 27f1c5375..c16731a70 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -7,6 +7,9 @@ on:
     # Run every day at 5am and 5pm
     - cron: '0 5,17 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   semgrep:
     name: run-semgrep