From 754dfcc1ddfbca3c0ebd606c0e5cc9c77b80597b Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Fri, 19 Jul 2024 16:44:46 +0200
Subject: [PATCH] github: add default permissions

This makes the GitHub actions more secure.
---
 .github/workflows/codeql.yml  | 3 +++
 .github/workflows/lint.yaml   | 4 ++++
 .github/workflows/publish.yml | 4 ++++
 3 files changed, 11 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 481c85deb..73a61ed98 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -19,6 +19,9 @@ on:
   schedule:
     - cron: '45 2 * * 0'
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index e21f9108e..732cdca13 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -6,6 +6,10 @@ on:
     branches:
       - "*"
   pull_request:
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   golangci:
     name: lint
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 13a18b5c2..dddc821c6 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -10,6 +10,10 @@ on:
         - release-1.0
         - release-1.1
 
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build: