From 2b7f1ed4ed20c6b0e342b015318dbe458c34cd17 Mon Sep 17 00:00:00 2001
From: Tyrrrz <1935960+Tyrrrz@users.noreply.github.com>
Date: Sat, 27 May 2023 22:42:04 +0300
Subject: [PATCH] Use granular permissions for GitHub Actions

---
 .github/workflows/docker.yml |  9 ++++++++-
 .github/workflows/main.yml   | 16 +++++++++++++---
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 795b128a..a86a027a 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -5,6 +5,9 @@ on: [push, pull_request]
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: read
 
     steps:
       - name: Checkout
@@ -30,6 +33,8 @@ jobs:
   deploy-latest:
     if: ${{ github.event_name == 'push' && github.ref_type == 'branch' && github.ref_name == 'master' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
@@ -55,6 +60,8 @@ jobs:
   deploy-stable:
     if: ${{ github.event_name == 'push' && github.ref_type == 'tag' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
@@ -80,4 +87,4 @@ jobs:
           --push
           --tag tyrrrz/discordchatexporter:stable
           --tag tyrrrz/discordchatexporter:${{ steps.get-version.outputs.tag }}
-          .
+          .
\ No newline at end of file
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index e760522a..bb9c3aff 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -5,6 +5,8 @@ on: [push, pull_request]
 jobs:
   test:
     runs-on: windows-latest
+    permissions:
+      contents: read
 
     env:
       DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
@@ -38,9 +40,12 @@ jobs:
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
 
-  package:
+  pack:
     needs: test
     runs-on: windows-latest
+    permissions:
+      actions: write
+      contents: read
 
     env:
       DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
@@ -82,8 +87,11 @@ jobs:
 
   deploy:
     if: ${{ github.event_name == 'push' && github.ref_type == 'tag' }}
-    needs: package
+    needs: pack
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: write
 
     steps:
       - name: Download artifacts (CLI)
@@ -128,6 +136,8 @@ jobs:
   notify:
     needs: deploy
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Get release version
@@ -144,4 +154,4 @@ jobs:
           body: |
             {
               "content": "**DiscordChatExporter** new version released!\nVersion: `${{ steps.get-version.outputs.tag }}`\nChangelog: <https://github.com/Tyrrrz/DiscordChatExporter/blob/${{ steps.get-version.outputs.tag }}/Changelog.md>"
-            }
+            }
\ No newline at end of file