From 49f6912dc38142554e74f6f24388e9ec9ef90a38 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Mon, 26 Sep 2022 13:50:53 +0200
Subject: [PATCH 1/3] build: harden tutorials.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/tutorials.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/tutorials.yml b/.github/workflows/tutorials.yml
index 4f80942d17..2e6093fde5 100644
--- a/.github/workflows/tutorials.yml
+++ b/.github/workflows/tutorials.yml
@@ -9,6 +9,7 @@ concurrency:
   group: tutorials-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
 jobs:
   tutorial:
     runs-on: ubuntu-latest

From fe9cbe8262e19aa9735ea14199f6a352c256f292 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Mon, 26 Sep 2022 13:51:24 +0200
Subject: [PATCH 2/3] build: harden contrib.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/contrib.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/contrib.yml b/.github/workflows/contrib.yml
index d723e6aa48..a4ec6d7d75 100644
--- a/.github/workflows/contrib.yml
+++ b/.github/workflows/contrib.yml
@@ -22,6 +22,9 @@ concurrency:
   group: contrib-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   stable:
     # Check each OS, all supported Python, minimum versions and latest releases

From b53d6743d93161d13b431ea14262d7dd14ded2c8 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Mon, 26 Sep 2022 13:55:26 +0200
Subject: [PATCH 3/3] build: harden tests.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/tests.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 07bb90dc9e..76d4b43843 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -29,8 +29,12 @@ concurrency:
   group: tests-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
 jobs:
   build:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -80,6 +84,9 @@ jobs:
 
   stable:
     # Check each OS, all supported Python, minimum versions and latest releases
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+
     runs-on: ${{ matrix.os }}
     strategy:
       matrix: