From 2d292976a66d6b53b30fe5c3c45b6192489cd433 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Mon, 12 Aug 2024 18:08:55 +0200
Subject: [PATCH] ci: fix excessive token permissions -- again

PR https://github.com/rook/rook/pull/14473

tried to improve the token-permissions score of the OpenSSF scorecard
report.

https://scorecard.dev/viewer/?uri=github.com/rook/rook

The latest scorecard run however shows that this score has  not improved.
It still shows two warbnings about missing top level permissions.

The rest looks good (just Info entries).

This change aims at  finally improving the token-permissions score

by adding top level permissions to the two warned-about workflow files.

Signed-off-by: Michael Adam <obnox@samba.org>
---
 .github/workflows/canary-integration-test.yml               | 3 +++
 .github/workflows/integration-test-keystone-auth-suite.yaml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/canary-integration-test.yml b/.github/workflows/canary-integration-test.yml
index 2c8b393d25f2..6eb1bce56719 100644
--- a/.github/workflows/canary-integration-test.yml
+++ b/.github/workflows/canary-integration-test.yml
@@ -13,6 +13,9 @@ defaults:
     # reference: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#using-a-specific-shell
     shell: bash --noprofile --norc -eo pipefail -x {0}
 
+permissions:
+  contents: read
+
 jobs:
   canary:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/integration-test-keystone-auth-suite.yaml b/.github/workflows/integration-test-keystone-auth-suite.yaml
index a10fb2c551d1..e6ac019691e4 100644
--- a/.github/workflows/integration-test-keystone-auth-suite.yaml
+++ b/.github/workflows/integration-test-keystone-auth-suite.yaml
@@ -13,6 +13,9 @@ defaults:
     # reference: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#using-a-specific-shell
     shell: bash --noprofile --norc -eo pipefail -x {0}
 
+permissions:
+  contents: read
+
 # cancel the in-progress workflow when PR is refreshed.
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}