From 2679b2926cd89e8a7180a0cc85f348ccf80252e4 Mon Sep 17 00:00:00 2001
From: Matthew Penner <me@matthewp.io>
Date: Wed, 28 Aug 2024 20:01:56 -0600
Subject: [PATCH] ci: update workflow permissions

Signed-off-by: Matthew Penner <me@matthewp.io>
---
 .github/workflows/build.yaml   | 2 ++
 .github/workflows/ci.yaml      | 2 ++
 .github/workflows/docker.yaml  | 3 +++
 .github/workflows/lint.yaml    | 2 ++
 .github/workflows/release.yaml | 4 +++-
 5 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 4aca84ce80..6b6db3ff63 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -14,6 +14,8 @@ jobs:
   ui:
     name: UI
     runs-on: ubuntu-20.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 3bf5d9ecf1..6916a0a904 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -14,6 +14,8 @@ jobs:
   tests:
     name: Tests
     runs-on: ubuntu-20.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index ffa30b3493..bf9e88607b 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -18,6 +18,9 @@ jobs:
     name: Push
     runs-on: ubuntu-20.04
     if: "!contains(github.ref, 'develop') || (!contains(github.event.head_commit.message, 'skip docker') && !contains(github.event.head_commit.message, 'docker skip'))"
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Code checkout
         uses: actions/checkout@v3
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 68299f21df..e22c7003a9 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -14,6 +14,8 @@ jobs:
   lint:
     name: Lint
     runs-on: ubuntu-20.04
+    permissions:
+      contents: read
     steps:
       - name: Code Checkout
         uses: actions/checkout@v3
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index cbbb4b05e7..9bbca812ba 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -9,6 +9,8 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-20.04
+    permissions:
+      contents: write # write is required to create releases and push.
     steps:
       - name: Code checkout
         uses: actions/checkout@v3
@@ -41,7 +43,7 @@ jobs:
 
       - name: Create release archive
         run: |
-          rm -rf node_modules tests CODE_OF_CONDUCT.md CONTRIBUTING.md flake.lock flake.nix phpunit.xml shell.nix 
+          rm -rf node_modules tests CODE_OF_CONDUCT.md CONTRIBUTING.md flake.lock flake.nix phpunit.xml shell.nix
           tar -czf panel.tar.gz * .editorconfig .env.example .eslintignore .eslintrc.js .gitignore .prettierrc.json
 
       - name: Extract changelog