From 0c2b9a9c7cd1d70d822c7cb219b3c02158855a56 Mon Sep 17 00:00:00 2001
From: Roger Ng <rogerng@google.com>
Date: Fri, 20 Dec 2024 15:28:40 +0000
Subject: [PATCH] Fix token permission code scanning alert (#425)

---
 .github/workflows/benchmark-go-main.yml | 3 +++
 .github/workflows/benchmark-go-pr.yml   | 3 +++
 .github/workflows/codeql.yml            | 3 +++
 .github/workflows/scorecard.yml         | 3 +++
 .github/workflows/terragrunt_test.yml   | 3 +++
 5 files changed, 15 insertions(+)

diff --git a/.github/workflows/benchmark-go-main.yml b/.github/workflows/benchmark-go-main.yml
index 5cefab5b..3e6fe830 100644
--- a/.github/workflows/benchmark-go-main.yml
+++ b/.github/workflows/benchmark-go-main.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   benchmark:
     name: Performance regression check
diff --git a/.github/workflows/benchmark-go-pr.yml b/.github/workflows/benchmark-go-pr.yml
index 4baf454e..9656b070 100644
--- a/.github/workflows/benchmark-go-pr.yml
+++ b/.github/workflows/benchmark-go-pr.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   benchmark:
     name: Performance regression check
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index c0dfbb10..baf8e8bc 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -19,6 +19,9 @@ on:
   schedule:
     - cron: '15 10 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index bfe8eb29..c02c38e1 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -14,6 +14,9 @@ on:
   push:
     branches: [ "main" ]
 
+permissions:
+  contents: read
+
 jobs:
   analysis:
     name: Scorecard analysis
diff --git a/.github/workflows/terragrunt_test.yml b/.github/workflows/terragrunt_test.yml
index a231459e..15c547ff 100644
--- a/.github/workflows/terragrunt_test.yml
+++ b/.github/workflows/terragrunt_test.yml
@@ -2,6 +2,9 @@ name: 'Terragrunt format check'
 on:
   - pull_request
 
+permissions:
+  contents: read
+
 env:
   tf_version: '1.5.7'
   tg_version: '0.55.1'