From a5e68972c2c89e5a840d87ab28d11723d6c33bf0 Mon Sep 17 00:00:00 2001
From: michael-kerscher <kerscher@google.com>
Date: Wed, 29 Oct 2025 14:37:13 +0100
Subject: [PATCH] Reduce permissions for Github actions by reducing to minimal
 permissions (#2961)

This is increasing the security of this repository. A standard
GITHUB_TOKEN currently has these permissions.

GITHUB_TOKEN Permissions
  Contents: read
  Metadata: read
  Packages: read

Setting only `contents: read` permission has the effect of removing
Packages permission. Metadata is added automatically.

fixes #2958
---
 .github/workflows/build.yml               | 2 ++
 .github/workflows/check-msgid-changes.yml | 2 ++
 .github/workflows/lint.yml                | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8a50b6f2..5a262ffc 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,4 +1,6 @@
 name: Test
+permissions:
+  contents: read
 
 on:
   pull_request:
diff --git a/.github/workflows/check-msgid-changes.yml b/.github/workflows/check-msgid-changes.yml
index 31fd8e63..2966a080 100644
--- a/.github/workflows/check-msgid-changes.yml
+++ b/.github/workflows/check-msgid-changes.yml
@@ -1,4 +1,6 @@
 name: Prevent unintended msgid changes
+permissions:
+  contents: read
 
 on:
   pull_request:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 89442ec0..6e11f1d7 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,4 +1,6 @@
 name: Lint
+permissions:
+  contents: read
 
 on:
   pull_request: