From 1fe8e08c13865654bcc4328402c94f4fd79e3ae5 Mon Sep 17 00:00:00 2001
From: Dale Henries <dhenries@samaritan.org>
Date: Fri, 15 Dec 2023 16:25:32 -0500
Subject: [PATCH] token permissions - security slam task 16

Signed-off-by: Dale Henries <dhenries@samaritan.org>
---
 .github/workflows/govulncheck.yml | 3 +++
 .github/workflows/semantic.yml    | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index d326a772f2..58ad384559 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -8,6 +8,9 @@ on:
 env:
   GO_VERSION: "^1.21"
 
+permissions:
+  contents: read
+
 jobs:
   ci-security-checks:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/semantic.yml b/.github/workflows/semantic.yml
index 71bc8cd4e2..c2f6094adb 100644
--- a/.github/workflows/semantic.yml
+++ b/.github/workflows/semantic.yml
@@ -7,8 +7,14 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   main:
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
     name: Validate PR title for semantic commit message
     runs-on: ubuntu-latest
     steps: