From 87e7f3a61ca387b727df3b4b23701be89b4c217a Mon Sep 17 00:00:00 2001
From: Ashish Kurmi <akurmi@stepsecurity.io>
Date: Sun, 2 Oct 2022 11:16:13 -0700
Subject: [PATCH] ci: add minimum GitHub token permissions for workflows
 Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>

---
 .github/workflows/release.yml | 3 +++
 .github/workflows/tests.yml   | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8f3c8a6ce..85fc1f92a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   generate:
     name: 'Update node-red-docker image'
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 0db909da6..b7f54c5f1 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -6,8 +6,14 @@ on:
   pull_request:
     branches: [ master, dev ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      checks: write  # for coverallsapp/github-action to create new checks
+      contents: read  # for actions/checkout to fetch code
     runs-on: ubuntu-latest
     strategy:
       matrix: