From 44fedf95d30b24f8f3f5d7b2dd1dd5f25980a53b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ville=20Skytt=C3=A4?= <ville.skytta@upcloud.com>
Date: Wed, 17 Sep 2025 13:54:34 +0300
Subject: [PATCH] chore(ci): tighten workflow token permissions

---
 .github/workflows/main.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 33a2d1a..4d16bef 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -4,9 +4,13 @@ on:
   - push
   - pull_request
 
+permissions: {}
+
 jobs:
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Python
@@ -25,6 +29,8 @@ jobs:
           - py312
           - py313
           - pypy3
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Fedora Tox with ${{ matrix.tox_env }}
@@ -40,6 +46,8 @@ jobs:
   deploy:
     name: Build deploy
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0