From 9c7aa5bc240197e1f56b6233f70fc65fdd1bf9e4 Mon Sep 17 00:00:00 2001
From: Carlos Gonzalez <carlos.gonzalez@codeplay.com>
Date: Tue, 1 Oct 2024 16:29:21 +0100
Subject: [PATCH] [CP-Sec] Add top-level permissions to workflows

---
 .github/workflows/build_pr_cache.yml           | 2 ++
 .github/workflows/create_llvm.yml              | 2 ++
 .github/workflows/create_publish_artifacts.yml | 2 ++
 .github/workflows/docs.yml                     | 2 ++
 .github/workflows/run_ock_demo.yml             | 2 ++
 .github/workflows/run_pr_tests.yml             | 2 ++
 6 files changed, 12 insertions(+)

diff --git a/.github/workflows/build_pr_cache.yml b/.github/workflows/build_pr_cache.yml
index 3a05db0a6..fadcdce19 100644
--- a/.github/workflows/build_pr_cache.yml
+++ b/.github/workflows/build_pr_cache.yml
@@ -19,6 +19,8 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
 
   build_pr_ock:
diff --git a/.github/workflows/create_llvm.yml b/.github/workflows/create_llvm.yml
index 29c7db9f8..37d202f54 100644
--- a/.github/workflows/create_llvm.yml
+++ b/.github/workflows/create_llvm.yml
@@ -11,6 +11,8 @@ on:
       - '.github/workflows/create_llvm.yml'         
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   create_llvm_cache:
     strategy:
diff --git a/.github/workflows/create_publish_artifacts.yml b/.github/workflows/create_publish_artifacts.yml
index 47d04068a..c026a0f4d 100644
--- a/.github/workflows/create_publish_artifacts.yml
+++ b/.github/workflows/create_publish_artifacts.yml
@@ -5,6 +5,8 @@ on:
       - stable
   workflow_dispatch:
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index fbdea2ed6..e1856e97f 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -15,6 +15,8 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   # Build job
   build:
diff --git a/.github/workflows/run_ock_demo.yml b/.github/workflows/run_ock_demo.yml
index 892ae816c..e1553cfab 100644
--- a/.github/workflows/run_ock_demo.yml
+++ b/.github/workflows/run_ock_demo.yml
@@ -7,6 +7,8 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/run_pr_tests.yml b/.github/workflows/run_pr_tests.yml
index 08d62a5b4..5c537e96e 100644
--- a/.github/workflows/run_pr_tests.yml
+++ b/.github/workflows/run_pr_tests.yml
@@ -17,6 +17,8 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true