From 6213c95bbca8a97b9bf0bdec27067f76a4b6b284 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Fri, 23 Sep 2022 13:11:23 +0200
Subject: [PATCH] build: harden unit-test.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/unit-test.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
index eb2edc09d8..035a2b8ef1 100644
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -60,6 +60,9 @@ env:
     CONAN_LOGGING_LEVEL: info
     CONAN_NON_INTERACTIVE: 1
 
+permissions:
+  contents: read
+
 jobs:
     conan-recipe-version:
         uses: ultimaker/cura/.github/workflows/conan-recipe-version.yml@main
@@ -144,6 +147,11 @@ jobs:
                     path: "tests/**/*.xml"
 
     publish-test-results:
+        permissions:
+          contents: read # to fetch code (actions/checkout)
+          checks: write
+          pull-requests: write # to comment on pull request
+
         runs-on: ubuntu-20.04
         needs: [ testing ]
         if: success() || failure()