From 6c1da6d88e816a2cfda74744057ccc33cf99cf39 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Mon, 31 Oct 2022 03:17:17 +0200
Subject: [PATCH] GitHub Workflows security hardening (#4586)

---
 .github/workflows/run-check.yaml   | 4 ++++
 .github/workflows/site-deploy.yaml | 3 +++
 .github/workflows/tests.yaml       | 3 +++
 3 files changed, 10 insertions(+)

diff --git a/.github/workflows/run-check.yaml b/.github/workflows/run-check.yaml
index 922e3d63..82534906 100644
--- a/.github/workflows/run-check.yaml
+++ b/.github/workflows/run-check.yaml
@@ -3,6 +3,10 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 0 * * 0'
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build:
     name: Running test
diff --git a/.github/workflows/site-deploy.yaml b/.github/workflows/site-deploy.yaml
index a1ca2c41..c92b7f19 100644
--- a/.github/workflows/site-deploy.yaml
+++ b/.github/workflows/site-deploy.yaml
@@ -5,6 +5,9 @@ on:
     branches:
       - 'main'
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build:
     name: Make and Deploy site
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index 99e1332b..d5f247af 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -6,6 +6,9 @@ on:
       - 'main'
   pull_request:
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build:
     name: Running test