From 4f6e132d2fc56feabd9d87cac98906d3e5806d6a 2022-09-09 12:17:42
From: Matthias Bussonnier <bussonniermatthias@gmail.com>
Date: 2022-09-09 12:17:42
Subject: [PATCH] Merge pull request #13750 from Carreau/sec-2

SEC: force workflows to be read-only.
---

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index e4be71c..f18fb39 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -2,6 +2,9 @@ name: Build docs
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/downstream.yml b/.github/workflows/downstream.yml
index ae2dbe5..e6206ae 100644
--- a/.github/workflows/downstream.yml
+++ b/.github/workflows/downstream.yml
@@ -8,6 +8,8 @@ on:
   - cron:  '23 1 * * 1'
   workflow_dispatch:
 
+permissions:
+  contents: read
 
 jobs:
   test:
diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
index 2725c92..8d1927d 100644
--- a/.github/workflows/mypy.yml
+++ b/.github/workflows/mypy.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main, 7.x]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index fc28ac8..62667b4 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -3,6 +3,9 @@
 
 name: Python package
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ main, 7.x ]