From 8da82c98effa297ded862f05ed200bca48463b6d Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Wed, 9 Oct 2024 00:57:57 +0200
Subject: [PATCH] gha: set default permissions to "contents: read"

make the OpenSSF scorecard slightly happier;
https://securityscorecards.dev/viewer/?uri=github.com/docker/compose

    Warn: jobLevel 'contents' permission set to 'write': .github/workflows/ci.yml:256: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/compose/ci.yml/main?enable=permissions
    Warn: no topLevel permission defined: .github/workflows/docs-upstream.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/compose/docs-upstream.yml/main?enable=permissions

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 .github/workflows/docs-upstream.yml |  9 +++++++++
 .github/workflows/stale.yml         | 10 ++++++++++
 2 files changed, 19 insertions(+)

diff --git a/.github/workflows/docs-upstream.yml b/.github/workflows/docs-upstream.yml
index af9e30104f5..2836f934e0c 100644
--- a/.github/workflows/docs-upstream.yml
+++ b/.github/workflows/docs-upstream.yml
@@ -2,6 +2,15 @@
 # to check if yaml reference docs used in this repo are valid
 name: docs-upstream
 
+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 3c23bec10f1..2a747ee1c25 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,4 +1,14 @@
 name: 'Close stale issues'
+
+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: '0 0 * * 0,3' # at midnight UTC every Sunday and Wednesday