From ba51979460077bc6cced4d3b186456761f786ad6 Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <opensource@fthiessen.de>
Date: Wed, 22 Jan 2025 12:19:40 +0100
Subject: [PATCH] fix(reuse): Restrict workflow to read permissions

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
---
 .github/workflows/dispatch-workflow.yml            | 3 +++
 .github/workflows/lint-yaml.yml                    | 3 +++
 .github/workflows/reuse.yml                        | 3 +++
 workflow-templates/appstore-build-publish.yml      | 3 +++
 workflow-templates/command-compile.yml             | 3 +++
 workflow-templates/command-openapi.yml             | 3 +++
 workflow-templates/cypress.yml                     | 4 ++++
 workflow-templates/documentation.yml               | 3 +++
 workflow-templates/npm-audit-fix.yml               | 3 +++
 workflow-templates/pr-feedback.yml                 | 4 ++++
 workflow-templates/psalm-matrix.yml                | 3 +++
 workflow-templates/psalm.yml                       | 3 +++
 workflow-templates/reuse.yml                       | 3 +++
 workflow-templates/update-nextcloud-ocp-matrix.yml | 3 +++
 workflow-templates/update-nextcloud-ocp.yml        | 3 +++
 15 files changed, 47 insertions(+)

diff --git a/.github/workflows/dispatch-workflow.yml b/.github/workflows/dispatch-workflow.yml
index e4d3c314..a2b10cd1 100644
--- a/.github/workflows/dispatch-workflow.yml
+++ b/.github/workflows/dispatch-workflow.yml
@@ -21,6 +21,9 @@ on:
         type: number
         default: 1
 
+permissions:
+  contents: read
+
 jobs:
   repositories:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint-yaml.yml b/.github/workflows/lint-yaml.yml
index cd1dc231..77b40cb4 100644
--- a/.github/workflows/lint-yaml.yml
+++ b/.github/workflows/lint-yaml.yml
@@ -10,6 +10,9 @@ name: Lint
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   yaml-lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml
index b6828556..0d8e1962 100644
--- a/.github/workflows/reuse.yml
+++ b/.github/workflows/reuse.yml
@@ -11,6 +11,9 @@ name: REUSE Compliance Check
 
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   reuse-compliance-check:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/appstore-build-publish.yml b/workflow-templates/appstore-build-publish.yml
index 3eaf3c8e..316ba144 100644
--- a/workflow-templates/appstore-build-publish.yml
+++ b/workflow-templates/appstore-build-publish.yml
@@ -12,6 +12,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write
+
 jobs:
   build_and_publish:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/command-compile.yml b/workflow-templates/command-compile.yml
index e9e39751..70b29b29 100644
--- a/workflow-templates/command-compile.yml
+++ b/workflow-templates/command-compile.yml
@@ -11,6 +11,9 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   init:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/command-openapi.yml b/workflow-templates/command-openapi.yml
index 24ce4a22..dbac01ee 100644
--- a/workflow-templates/command-openapi.yml
+++ b/workflow-templates/command-openapi.yml
@@ -11,6 +11,9 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   init:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/cypress.yml b/workflow-templates/cypress.yml
index 9d7244f4..8eaa82dc 100644
--- a/workflow-templates/cypress.yml
+++ b/workflow-templates/cypress.yml
@@ -24,6 +24,10 @@ env:
   # n.b. server will use head_ref, as we want to test the PR branch.
   BRANCH: ${{ github.base_ref || github.ref_name }}
 
+
+permissions:
+  contents: read
+
 jobs:
   init:
     runs-on: ubuntu-latest-low
diff --git a/workflow-templates/documentation.yml b/workflow-templates/documentation.yml
index ca15d46a..289a3401 100644
--- a/workflow-templates/documentation.yml
+++ b/workflow-templates/documentation.yml
@@ -13,6 +13,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/npm-audit-fix.yml b/workflow-templates/npm-audit-fix.yml
index b3d4c266..462f2a24 100644
--- a/workflow-templates/npm-audit-fix.yml
+++ b/workflow-templates/npm-audit-fix.yml
@@ -14,6 +14,9 @@ on:
     # At 2:30 on Sundays
     - cron: '30 2 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/pr-feedback.yml b/workflow-templates/pr-feedback.yml
index cda79480..7d496690 100644
--- a/workflow-templates/pr-feedback.yml
+++ b/workflow-templates/pr-feedback.yml
@@ -15,6 +15,10 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   pr-feedback:
     if: ${{ github.repository_owner == 'nextcloud' }}
diff --git a/workflow-templates/psalm-matrix.yml b/workflow-templates/psalm-matrix.yml
index ff88c6cf..cbac517f 100644
--- a/workflow-templates/psalm-matrix.yml
+++ b/workflow-templates/psalm-matrix.yml
@@ -14,6 +14,9 @@ concurrency:
   group: psalm-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   matrix:
     runs-on: ubuntu-latest-low
diff --git a/workflow-templates/psalm.yml b/workflow-templates/psalm.yml
index c2d2e862..452186ee 100644
--- a/workflow-templates/psalm.yml
+++ b/workflow-templates/psalm.yml
@@ -14,6 +14,9 @@ concurrency:
   group: psalm-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   static-analysis:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/reuse.yml b/workflow-templates/reuse.yml
index b6828556..0d8e1962 100644
--- a/workflow-templates/reuse.yml
+++ b/workflow-templates/reuse.yml
@@ -11,6 +11,9 @@ name: REUSE Compliance Check
 
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   reuse-compliance-check:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/update-nextcloud-ocp-matrix.yml b/workflow-templates/update-nextcloud-ocp-matrix.yml
index 4e0f1457..e7537ef6 100644
--- a/workflow-templates/update-nextcloud-ocp-matrix.yml
+++ b/workflow-templates/update-nextcloud-ocp-matrix.yml
@@ -13,6 +13,9 @@ on:
   schedule:
     - cron: '5 2 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   update-nextcloud-ocp:
     runs-on: ubuntu-latest
diff --git a/workflow-templates/update-nextcloud-ocp.yml b/workflow-templates/update-nextcloud-ocp.yml
index 90abc74b..ebb1d9f2 100644
--- a/workflow-templates/update-nextcloud-ocp.yml
+++ b/workflow-templates/update-nextcloud-ocp.yml
@@ -13,6 +13,9 @@ on:
   schedule:
     - cron: "5 2 * * 0"
 
+permissions:
+  contents: read
+
 jobs:
   update-nextcloud-ocp:
     runs-on: ubuntu-latest