From 8a77a8b77a7d5e5247e8ff563d93a14510e09b9a Mon Sep 17 00:00:00 2001
From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Date: Mon, 28 Oct 2024 17:09:15 -0400
Subject: [PATCH] Restrict permissions of GITHUB_TOKEN

This changes the default permissions for the GITHUB_TOKEN used in our
GitHub Actions configuration to the minimum required to successfully
run.
---
 .github/workflows/build.yml       | 5 +++++
 .github/workflows/sync-labels.yml | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e7a60b2..d4340af 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -30,6 +30,8 @@ env:
 jobs:
   diagnostics:
     name: Run diagnostics
+    # This job does not need any permissions
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       # Note that a duplicate of this step must be added at the top of
@@ -48,6 +50,9 @@ jobs:
   lint:
     needs:
       - diagnostics
+    permissions:
+      # actions/checkout needs this to fetch code
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - id: harden-runner
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index e83bd41..39e7379 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -13,6 +13,8 @@ permissions:
 jobs:
   diagnostics:
     name: Run diagnostics
+    # This job does not need any permissions
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       # Note that a duplicate of this step must be added at the top of