From 6213c95bbca8a97b9bf0bdec27067f76a4b6b284 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Fri, 23 Sep 2022 13:11:23 +0200
Subject: [PATCH 1/2] build: harden unit-test.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/unit-test.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
index eb2edc09d8..035a2b8ef1 100644
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -60,6 +60,9 @@ env:
     CONAN_LOGGING_LEVEL: info
     CONAN_NON_INTERACTIVE: 1
 
+permissions:
+  contents: read
+
 jobs:
     conan-recipe-version:
         uses: ultimaker/cura/.github/workflows/conan-recipe-version.yml@main
@@ -144,6 +147,11 @@ jobs:
                     path: "tests/**/*.xml"
 
     publish-test-results:
+        permissions:
+          contents: read # to fetch code (actions/checkout)
+          checks: write
+          pull-requests: write # to comment on pull request
+
         runs-on: ubuntu-20.04
         needs: [ testing ]
         if: success() || failure()

From 7e218bef8b7b277375c77b16d30b7ec61ae4e5f6 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Fri, 23 Sep 2022 13:22:49 +0200
Subject: [PATCH 2/2] build: harden conan-package.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/conan-package.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/conan-package.yml b/.github/workflows/conan-package.yml
index d7f4557b81..ce9d9998eb 100644
--- a/.github/workflows/conan-package.yml
+++ b/.github/workflows/conan-package.yml
@@ -47,13 +47,20 @@ on:
             - '[1-9].[0-9].[0-9]+'
             - '[1-9].[0-9][0-9].[0-9]+'
 
+permissions: {}
 jobs:
     conan-recipe-version:
+        permissions:
+          contents: read
+
         uses: ultimaker/cura/.github/workflows/conan-recipe-version.yml@main
         with:
             project_name: cura
 
     conan-package-export:
+        permissions:
+          contents: read
+
         needs: [ conan-recipe-version ]
         uses: ultimaker/cura/.github/workflows/conan-recipe-export.yml@main
         with:
@@ -65,6 +72,9 @@ jobs:
         secrets: inherit
 
     conan-package-create-linux:
+        permissions:
+          contents: read
+
         if: ${{ (github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'master' || needs.conan-recipe-version.outputs.is_release_branch == 'true')) || (github.event_name == 'workflow_dispatch' && inputs.create_binaries_linux) }}
         needs: [ conan-recipe-version, conan-package-export ]