From 6c1e25bff0418f7a05a07e563402d529fc0d4efb Mon Sep 17 00:00:00 2001
From: Eli <88557639+lishaduck@users.noreply.github.com>
Date: Wed, 3 Jul 2024 20:53:26 -0400
Subject: [PATCH] ci: restrict permissions

---
 .github/workflows/test.yml                                  | 3 +++
 new-package/github/workflows/test.yml                       | 6 ++++++
 .../.github/workflows/test.yml                              | 6 ++++++
 .../elm-review-something/.github/workflows/test.yml         | 6 ++++++
 4 files changed, 21 insertions(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 92be0c52b..0ad9122e7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,6 +8,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   test:
diff --git a/new-package/github/workflows/test.yml b/new-package/github/workflows/test.yml
index c50af58c2..494515767 100644
--- a/new-package/github/workflows/test.yml
+++ b/new-package/github/workflows/test.yml
@@ -4,6 +4,9 @@ name: CI
 # events but only for the main branch
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   test:
@@ -64,6 +67,9 @@ jobs:
   publish:
     needs: [test] # make sure all your other jobs succeed before trying to publish
 
+    permissions:
+      contents: write
+
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
diff --git a/test/run-snapshots/elm-review-something-for-new-rule/.github/workflows/test.yml b/test/run-snapshots/elm-review-something-for-new-rule/.github/workflows/test.yml
index c50af58c2..494515767 100644
--- a/test/run-snapshots/elm-review-something-for-new-rule/.github/workflows/test.yml
+++ b/test/run-snapshots/elm-review-something-for-new-rule/.github/workflows/test.yml
@@ -4,6 +4,9 @@ name: CI
 # events but only for the main branch
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   test:
@@ -64,6 +67,9 @@ jobs:
   publish:
     needs: [test] # make sure all your other jobs succeed before trying to publish
 
+    permissions:
+      contents: write
+
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
diff --git a/test/run-snapshots/elm-review-something/.github/workflows/test.yml b/test/run-snapshots/elm-review-something/.github/workflows/test.yml
index c50af58c2..494515767 100644
--- a/test/run-snapshots/elm-review-something/.github/workflows/test.yml
+++ b/test/run-snapshots/elm-review-something/.github/workflows/test.yml
@@ -4,6 +4,9 @@ name: CI
 # events but only for the main branch
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   test:
@@ -64,6 +67,9 @@ jobs:
   publish:
     needs: [test] # make sure all your other jobs succeed before trying to publish
 
+    permissions:
+      contents: write
+
     # The type of runner that the job will run on
     runs-on: ubuntu-latest