From d2a3daca69b330a9e0413a2da93858b7a8c60027 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Van=20Rompay?=
 <cedric.vanrompay@datadoghq.com>
Date: Fri, 3 Jan 2025 12:43:20 +0100
Subject: [PATCH] make GitHub workflow permissions explicit

---
 .github/workflows/main.yml    | 4 ++++
 .github/workflows/release.yml | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 1dd4e650f..e348deee4 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,6 +1,10 @@
 name: All builds
 on: [push, pull_request]
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 08adf73d1..09e4f3126 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,9 @@
 name: Create release from new tag
 
+# setting default permissions to "none"
+# because permissions are set at the job level
+permissions: {}
+
 # this flow will be run only when new tags are pushed that match our pattern
 on:
   push: