From 457787d0232585f8a69a53300868990830631042 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Fri, 14 Oct 2022 00:48:28 +0000
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by:
 StepSecurity Bot <bot@stepsecurity.io>

---
 .github/workflows/codeql-analysis.yml | 3 +++
 .github/workflows/fossa.yml           | 3 +++
 .github/workflows/labeler.yml         | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 18cadc4089..9e8cb6cdc2 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -13,6 +13,9 @@ concurrency:
   group: ${{ github.ref_name }}-codeql
   cancel-in-progress: true
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
index b9fe65776d..ca9993ef86 100644
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@@ -9,6 +9,9 @@ concurrency:
   group: ${{ github.ref_name }}-fossa
   cancel-in-progress: true
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   scan:
     name: Fossa
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 053fddb01f..4413605165 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -2,6 +2,9 @@ name: "Pull Request Labeler"
 on:
   - pull_request_target
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   triage:
     permissions: