From 63fbccc425edeff918e58c68143ae38de3d404af Mon Sep 17 00:00:00 2001
From: "Anuraag (Rag) Agrawal" <anuraaga@gmail.com>
Date: Thu, 27 Jun 2024 13:51:32 +0900
Subject: [PATCH] Specify GHA permissions explicitly (#29)

---
 .github/workflows/ci.yaml      | 2 +-
 .github/workflows/release.yaml | 7 ++++++-
 .github/workflows/update.yaml  | 6 +++++-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 71bc390..5b26763 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -10,5 +10,5 @@ on:
 
 jobs:
   build:
-    uses: wasilibs/actions/.github/workflows/ci.yaml@7b3d415a47bf67024079ff9d9a0cbb96d7067276
+    uses: wasilibs/actions/.github/workflows/ci.yaml@eeee5d072ee283c12eb68e2c4969012fae3d6dd0
     secrets: inherit
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 7eba59f..91ca40d 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -5,7 +5,12 @@ on:
     tags:
       - v*
 
+permissions:
+  id-token: write
+  attestations: write
+  contents: write
+
 jobs:
   release:
-    uses: wasilibs/actions/.github/workflows/release.yaml@7b3d415a47bf67024079ff9d9a0cbb96d7067276
+    uses: wasilibs/actions/.github/workflows/release.yaml@eeee5d072ee283c12eb68e2c4969012fae3d6dd0
     secrets: inherit
diff --git a/.github/workflows/update.yaml b/.github/workflows/update.yaml
index 48ad664..6dc6db8 100644
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@@ -5,7 +5,11 @@ on:
     - cron: "5 4 * * *"
   workflow_dispatch:
 
+permissions:
+  id-token: write
+  attestations: write
+
 jobs:
   build:
-    uses: wasilibs/actions/.github/workflows/update.yaml@7b3d415a47bf67024079ff9d9a0cbb96d7067276
+    uses: wasilibs/actions/.github/workflows/update.yaml@eeee5d072ee283c12eb68e2c4969012fae3d6dd0
     secrets: inherit