From 17da74cdbde5e5f9e6a1ca90ebb5949c4bedd131 Mon Sep 17 00:00:00 2001
From: Anton Belodedenko <2033996+ab77@users.noreply.github.com>
Date: Mon, 18 Nov 2024 12:03:02 -0800
Subject: [PATCH] Explicitly set GH_TOKEN permissions

change-type: patch
---
 .github/workflows/flowzone.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml
index 16bf82d..b8e0d57 100644
--- a/.github/workflows/flowzone.yml
+++ b/.github/workflows/flowzone.yml
@@ -9,6 +9,27 @@ on:
     types: [opened, synchronize, closed]
     branches: [main, master]
 
+# Base permissions required by Flowzone
+# https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  attestations: none
+  checks: none
+  contents: read
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+  # Additional permissions needed by this repo, such as:
+  packages: write # Allow Flowzone to publish to ghcr.io
+
 jobs:
   flowzone:
     name: Flowzone