From 4a9be12522891d4957e73baa521d45166f0e5768 Mon Sep 17 00:00:00 2001
From: Ole Herman Schumacher Elgesem <ole.elgesem@northern.tech>
Date: Fri, 4 Jul 2025 16:32:46 +0200
Subject: [PATCH] GH Actions: Added explicit permissions

Signed-off-by: Ole Herman Schumacher Elgesem <ole.elgesem@northern.tech>
---
 .github/workflows/black.yml                | 2 ++
 .github/workflows/python-publish.yml       | 3 ++-
 .github/workflows/python-tests.yml         | 4 ++++
 .github/workflows/python-validate-test.yml | 2 ++
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml
index b2ee2f38..8e782751 100644
--- a/.github/workflows/black.yml
+++ b/.github/workflows/black.yml
@@ -12,6 +12,8 @@ on:
 jobs:
   check:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index 7cffb8d0..96cafa9f 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -10,7 +10,8 @@ on:
 jobs:
   deploy:
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
diff --git a/.github/workflows/python-tests.yml b/.github/workflows/python-tests.yml
index 15820549..edb3c436 100644
--- a/.github/workflows/python-tests.yml
+++ b/.github/workflows/python-tests.yml
@@ -12,6 +12,8 @@ on:
 jobs:
   test:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -51,6 +53,8 @@ jobs:
           UNSAFE_TESTS=1 bash tests/shell/all.sh
   test-legacy:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     env:
       # Temporary workaround for Python 3.5 failures - May 2024, see CFE-4395
       PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org"
diff --git a/.github/workflows/python-validate-test.yml b/.github/workflows/python-validate-test.yml
index a03fdca2..b116043e 100644
--- a/.github/workflows/python-validate-test.yml
+++ b/.github/workflows/python-validate-test.yml
@@ -12,6 +12,8 @@ on:
 jobs:
   test-legacy:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     env:
       # Temporary workaround for Python 3.5 failures - May 2024, see CFE-4395
       PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org"