From b60dd6f945d2f0a4d10ea9e61681f1d893b364cb Mon Sep 17 00:00:00 2001
From: Martin Pitt <mpitt@redhat.com>
Date: Thu, 20 Apr 2023 07:50:45 +0200
Subject: [PATCH] workflows: Explicitly set minimal token permissions

This will allow us to set the default token permissions to restricted,
and thus avoid accidentally introducing over-privileged new workflows.
---
 .github/workflows/cockpit-lib-update.yml | 3 +++
 .github/workflows/npm-update-pf.yml      | 3 +++
 .github/workflows/npm-update.yml         | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/cockpit-lib-update.yml b/.github/workflows/cockpit-lib-update.yml
index 49d48e5..2f9de38 100644
--- a/.github/workflows/cockpit-lib-update.yml
+++ b/.github/workflows/cockpit-lib-update.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   cockpit-lib-update:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
     steps:
       - name: Set up dependencies
         run: |
diff --git a/.github/workflows/npm-update-pf.yml b/.github/workflows/npm-update-pf.yml
index 8a458bd..e07f20f 100644
--- a/.github/workflows/npm-update-pf.yml
+++ b/.github/workflows/npm-update-pf.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   npm-update:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
     steps:
       - name: Set up dependencies
         run: |
diff --git a/.github/workflows/npm-update.yml b/.github/workflows/npm-update.yml
index 13fe1b2..4b06dee 100644
--- a/.github/workflows/npm-update.yml
+++ b/.github/workflows/npm-update.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   npm-update:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
     steps:
       - name: Set up dependencies
         run: |