From 702b43a50f240202221e5d1b95b03b20df1b68b0 Mon Sep 17 00:00:00 2001
From: raulcabello <raul.cabello@suse.com>
Date: Mon, 31 Oct 2022 15:20:54 +0100
Subject: [PATCH] Add read-all permission to all workflows

Signed-off-by: raulcabello <raul.cabello@suse.com>
---
 .github/workflows/ci.yml              | 3 +++
 .github/workflows/container-build.yml | 3 +++
 .github/workflows/container-image.yml | 3 +++
 .github/workflows/e2e-tests.yml       | 3 +++
 .github/workflows/fossa.yml           | 4 ++++
 .github/workflows/openssf.yml         | 2 --
 .github/workflows/release.yml         | 4 ++++
 7 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3c98e6f4..62ed151d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,6 +5,9 @@ on:
   push:
   pull_request:
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   unit_tests:
     name: Unit tests
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
index 3cdd00cd..5363c5a0 100644
--- a/.github/workflows/container-build.yml
+++ b/.github/workflows/container-build.yml
@@ -10,6 +10,9 @@ on:
     branches:
       - "*"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 
 jobs:
   build:
diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml
index 2a8ac182..7f2dfb45 100644
--- a/.github/workflows/container-image.yml
+++ b/.github/workflows/container-image.yml
@@ -1,5 +1,8 @@
 name: Build container image
 
+# Declare default permissions as read only.
+permissions: read-all
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
index feedc02a..cb7b6cc0 100644
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -1,5 +1,8 @@
 name: End-to-end tests
 
+# Declare default permissions as read only.
+permissions: read-all
+
 on:
   workflow_dispatch:
   schedule:
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
index 4accd1f7..dc32bfba 100644
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@@ -5,6 +5,10 @@ on:
     - 'v*'
     branches:
     - 'main'
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   fossa-scan:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/openssf.yml b/.github/workflows/openssf.yml
index 32cd492f..b81c6b75 100644
--- a/.github/workflows/openssf.yml
+++ b/.github/workflows/openssf.yml
@@ -15,8 +15,6 @@ jobs:
       security-events: write
       # Used to receive a badge. (Upcoming feature)
       id-token: write
-      actions: read
-      contents: read
 
     steps:
       - name: "Checkout code"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 11f3a186..54bca10f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,10 @@ on:
   push:
     tags:
     - 'v*'
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   ci:
     uses: kubewarden/kubewarden-controller/.github/workflows/ci.yml@main