From 2d36b9ead3a948a25a8e42b6dcd6de01ff11cbc5 Mon Sep 17 00:00:00 2001
From: Tom Gehrke <phyrog@gmail.com>
Date: Mon, 1 Apr 2024 19:51:47 +0200
Subject: [PATCH] reduce default workflow permissions

---
 .github/workflows/container-image.yml    | 3 +++
 .github/workflows/helm-chart-release.yml | 3 +++
 .github/workflows/installer-build.yml    | 3 +++
 .github/workflows/manager-build.yml      | 3 +++
 .github/workflows/sbom.yml               | 3 +++
 .github/workflows/sign-image.yml         | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml
index 8d1c33b0..5f9b60ed 100644
--- a/.github/workflows/container-image.yml
+++ b/.github/workflows/container-image.yml
@@ -1,5 +1,8 @@
 name: Build container image
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/helm-chart-release.yml b/.github/workflows/helm-chart-release.yml
index 59fe6bec..b331fe0f 100644
--- a/.github/workflows/helm-chart-release.yml
+++ b/.github/workflows/helm-chart-release.yml
@@ -4,6 +4,9 @@
 # of the `charts` directory.
 name: Release helm chart
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/installer-build.yml b/.github/workflows/installer-build.yml
index cb42968d..3f00cd9f 100644
--- a/.github/workflows/installer-build.yml
+++ b/.github/workflows/installer-build.yml
@@ -1,5 +1,8 @@
 name: Build installer image, sign it, and generate SBOMs
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     outputs:
diff --git a/.github/workflows/manager-build.yml b/.github/workflows/manager-build.yml
index f49ded06..7aafbabe 100644
--- a/.github/workflows/manager-build.yml
+++ b/.github/workflows/manager-build.yml
@@ -1,5 +1,8 @@
 name: Build manager image, sign it, and generate SBOMs
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     outputs:
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index d20ebfc1..596abd7f 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -1,5 +1,8 @@
 name: Generate SBOMs
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/sign-image.yml b/.github/workflows/sign-image.yml
index e3618e44..b82f8b44 100644
--- a/.github/workflows/sign-image.yml
+++ b/.github/workflows/sign-image.yml
@@ -1,5 +1,8 @@
 name: Sign image
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs: