From 47112d070cc2604e455ce833675aae1cf31fa0b2 Mon Sep 17 00:00:00 2001
From: Anton Belodedenko <2033996+ab77@users.noreply.github.com>
Date: Mon, 18 Nov 2024 11:50:57 -0800
Subject: [PATCH] Explicitly set GH_TOKEN permissions

change-type: patch
---
 .github/workflows/flowzone.yml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml
index 9929d10..9efc717 100644
--- a/.github/workflows/flowzone.yml
+++ b/.github/workflows/flowzone.yml
@@ -6,6 +6,29 @@ on:
   pull_request_target:
     types: [opened, synchronize, closed]
     branches: [main, master]
+
+# Base permissions required by Flowzone
+# https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  attestations: none
+  checks: none
+  contents: read
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: read
+  # packages: read
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+  # Additional permissions needed by this repo, such as:
+  packages: write # Allow Flowzone to publish to ghcr.io
+
 jobs:
   flowzone:
     name: Flowzone