From 7c8e433a51800914071e02484d77d4cb780da24b Mon Sep 17 00:00:00 2001
From: Lucas Larson <LucasLarson@riseup.net>
Date: Sat, 27 Apr 2024 15:38:38 -0400
Subject: [PATCH] fix: ensure safer workflow permissions (CKV2_GHA_1)

Signed-off-by: Lucas Larson <LucasLarson@riseup.net>
---
 .github/workflows/changelog.yml           | 3 +++
 .github/workflows/jsonlint.yml            | 3 +++
 .github/workflows/shellcheck-markdown.yml | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index 4512dee..e0bef7e 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 # cancel any in-progress job or run
 concurrency:
   group: ${{ github.ref }}
diff --git a/.github/workflows/jsonlint.yml b/.github/workflows/jsonlint.yml
index 48cd0bf..921e48f 100644
--- a/.github/workflows/jsonlint.yml
+++ b/.github/workflows/jsonlint.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   format-json:
     name: Format JSON files and create a pull request
diff --git a/.github/workflows/shellcheck-markdown.yml b/.github/workflows/shellcheck-markdown.yml
index 7a000e4..499e542 100644
--- a/.github/workflows/shellcheck-markdown.yml
+++ b/.github/workflows/shellcheck-markdown.yml
@@ -4,6 +4,9 @@ name: Shellcheck code in Markdown
 on:
   push:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest