From 447fd34b0258f678ffde0bee9cfd204bb0251396 Mon Sep 17 00:00:00 2001
From: Steve Boyd <emteknetnz@gmail.com>
Date: Wed, 17 Apr 2024 18:26:44 +1200
Subject: [PATCH] ENH Add workflow permissions

---
 .github/workflows/dispatch-ci.yml | 5 +++++
 .github/workflows/keepalive.yml   | 4 ++++
 .github/workflows/merge-up.yml    | 5 +++++
 .github/workflows/update-js.yml   | 6 ++++++
 4 files changed, 20 insertions(+)

diff --git a/.github/workflows/dispatch-ci.yml b/.github/workflows/dispatch-ci.yml
index b9944c60d..f805c7509 100644
--- a/.github/workflows/dispatch-ci.yml
+++ b/.github/workflows/dispatch-ci.yml
@@ -5,12 +5,17 @@ on:
   schedule:
     - cron: '20 11 * * 2,3'
 
+permissions: {}
+
 jobs:
   dispatch-ci:
     name: Dispatch CI
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     steps:
       - name: Dispatch CI
         uses: silverstripe/gha-dispatch-ci@v1
diff --git a/.github/workflows/keepalive.yml b/.github/workflows/keepalive.yml
index c6f190ff0..346567650 100644
--- a/.github/workflows/keepalive.yml
+++ b/.github/workflows/keepalive.yml
@@ -6,12 +6,16 @@ on:
     - cron: '30 6 11 * *'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   keepalive:
     name: Keepalive
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - name: Keepalive
         uses: silverstripe/gha-keepalive@v1
diff --git a/.github/workflows/merge-up.yml b/.github/workflows/merge-up.yml
index 3a86b1d79..920e880c8 100644
--- a/.github/workflows/merge-up.yml
+++ b/.github/workflows/merge-up.yml
@@ -6,12 +6,17 @@ on:
     - cron: '20 11 * * 6'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   merge-up:
     name: Merge-up
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      actions: write
     steps:
       - name: Merge-up
         uses: silverstripe/gha-merge-up@v1
diff --git a/.github/workflows/update-js.yml b/.github/workflows/update-js.yml
index 859370b02..e9fb831b2 100644
--- a/.github/workflows/update-js.yml
+++ b/.github/workflows/update-js.yml
@@ -6,12 +6,18 @@ on:
   schedule:
     - cron: '30 6 1 */3 *'
 
+permissions: {}
+
 jobs:
   update-js:
     name: Update JS
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-request: write
+      actions: write
     steps:
       - name: Update JS
         uses: silverstripe/gha-update-js@v1