From 08b9db03d303f208fd276a86c231c94b2ea7d5b1 Mon Sep 17 00:00:00 2001
From: Ned Batchelder <ned@nedbatchelder.com>
Date: Wed, 3 Aug 2022 11:55:49 -0400
Subject: build: be explicit about actions only having permission to read
 contents

---
 .github/workflows/coverage.yml       | 3 +++
 .github/workflows/python-nightly.yml | 3 +++
 2 files changed, 6 insertions(+)

(limited to '.github/workflows')

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index eb21145d..ac1ee43d 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -19,6 +19,9 @@ defaults:
 env:
   PIP_DISABLE_PIP_VERSION_CHECK: 1
 
+permissions:
+  contents: read
+
 jobs:
   coverage:
     name: "Python ${{ matrix.python-version }} on ${{ matrix.os }}"
diff --git a/.github/workflows/python-nightly.yml b/.github/workflows/python-nightly.yml
index 6aec3b8b..ea71bb27 100644
--- a/.github/workflows/python-nightly.yml
+++ b/.github/workflows/python-nightly.yml
@@ -22,6 +22,9 @@ env:
   PIP_DISABLE_PIP_VERSION_CHECK: 1
   COVERAGE_IGOR_VERBOSE: 1
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: "Python ${{ matrix.python-version }}"
-- 
cgit v1.2.1