From 32a22b5420eff51dab4159ef61a56c89d1e8193e Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Mon, 26 Sep 2022 12:25:49 +0200
Subject: [PATCH] CI: GitHub Workflows security hardening (#3377)

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/ci-darwin-arm64v8.yml | 3 +++
 .github/workflows/ci.yml                | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/ci-darwin-arm64v8.yml b/.github/workflows/ci-darwin-arm64v8.yml
index 7c88ddbf2..57ea98428 100644
--- a/.github/workflows/ci-darwin-arm64v8.yml
+++ b/.github/workflows/ci-darwin-arm64v8.yml
@@ -2,8 +2,11 @@ name: CI (MacStadium)
 on:
   - push
   - pull_request
+permissions: {}
 jobs:
   CI:
+    permissions:
+      contents: write # for npx prebuild to make release
     runs-on: macos-m1
     strategy:
       fail-fast: false
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c8ed12e51..cb5190369 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,8 +2,13 @@ name: CI (GitHub)
 on:
   - push
   - pull_request
+permissions: {}
 jobs:
   CI:
+    permissions:
+      contents: write # for npx prebuild to make release
+      checks: write # to create new checks (coverallsapp/github-action)
+
     runs-on: ${{ matrix.os }}
     container: ${{ matrix.container }}
     strategy: