From 9bdbaef105b3b982d0a4ce63d852711c80e6c78d Mon Sep 17 00:00:00 2001
From: Varun Sharma <varunsh@stepsecurity.io>
Date: Fri, 10 Nov 2023 05:14:29 -0800
Subject: [PATCH] ci: add minimum GitHub token permissions for workflows
 (#8169)

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
---
 .github/workflows/dependabot-merge.yml   | 3 +++
 .github/workflows/docker-image-check.yml | 3 +++
 .github/workflows/nodejs.yml             | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/dependabot-merge.yml b/.github/workflows/dependabot-merge.yml
index bed017ba..c91b4d66 100644
--- a/.github/workflows/dependabot-merge.yml
+++ b/.github/workflows/dependabot-merge.yml
@@ -4,6 +4,9 @@ on:
   pull_request_target:
     branches: [ master, next ]
 
+permissions:
+  contents: read
+
 jobs:
   merge-me:
     name: Merge me!
diff --git a/.github/workflows/docker-image-check.yml b/.github/workflows/docker-image-check.yml
index 60588dd4..fb377fc7 100644
--- a/.github/workflows/docker-image-check.yml
+++ b/.github/workflows/docker-image-check.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron:  '30 4 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index 2e6655ac..050425c0 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -12,6 +12,9 @@ on:
 env:
   CYPRESS_CACHE_FOLDER: cypress/cache
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest