From 7bb00592aa125aa06b9faf957342ef72597c9717 Mon Sep 17 00:00:00 2001
From: Ashish Kurmi <akurmi@stepsecurity.io>
Date: Sun, 2 Oct 2022 11:36:03 -0700
Subject: [PATCH 1/2] ci: add minimum GitHub token permissions for workflows
 Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>

---
 .github/workflows/build.yml     | 3 +++
 .github/workflows/build_pat.yml | 3 +++
 .github/workflows/deploy.yml    | 3 +++
 .github/workflows/lint.yml      | 3 +++
 .github/workflows/stale.yml     | 6 ++++++
 .github/workflows/test_mim.yml  | 3 +++
 6 files changed, 21 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 066e70d10b0..8fa8605ed07 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -27,6 +27,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build_cpu:
     runs-on: ubuntu-18.04
diff --git a/.github/workflows/build_pat.yml b/.github/workflows/build_pat.yml
index 438e27ed8a5..82eaafc0307 100644
--- a/.github/workflows/build_pat.yml
+++ b/.github/workflows/build_pat.yml
@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build_parrots:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index f575061468b..c7fed28dd16 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build-n-publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 91565fe36af..a1e5aa2c083 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index b3506c7a698..5c1d92b3d09 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -5,8 +5,14 @@ on:
     # check issue and pull request once every day
     - cron: '25 11 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   invalid-stale-close:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v4
diff --git a/.github/workflows/test_mim.yml b/.github/workflows/test_mim.yml
index a57dda8a999..1a8e8efbfe6 100644
--- a/.github/workflows/test_mim.yml
+++ b/.github/workflows/test_mim.yml
@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build_cpu:
     runs-on: ubuntu-18.04

From 8d272b36d07f9438b97c7c63e1152fd1486e2e30 Mon Sep 17 00:00:00 2001
From: Ashish Kurmi <akurmi@stepsecurity.io>
Date: Sun, 2 Oct 2022 11:52:05 -0700
Subject: [PATCH 2/2] removing yaml comments

Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>
---
 .github/workflows/stale.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 5c1d92b3d09..1ceee3df56d 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -11,8 +11,8 @@ permissions:
 jobs:
   invalid-stale-close:
     permissions:
-      issues: write  # for actions/stale to close stale issues
-      pull-requests: write  # for actions/stale to close stale PRs
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v4