From 2d2d3b8c2bb15d7ec2fe2737c9dc1a6a4ba14ecd Mon Sep 17 00:00:00 2001
From: Matthew Feickert <matthew.feickert@cern.ch>
Date: Sat, 25 May 2024 13:52:48 -0500
Subject: [PATCH] ci: Restrict content permissions to harden GitHub Actions

* Restrict content permissions to read. At the moment there are no
  steps to the changed workflows that use tokens, and so this is
  perventative if this ever changes.
* Extends PR 2483.
---
 .github/workflows/docs.yml | 3 +++
 .github/workflows/lint.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 0bb1bc4315..81e9cd38e5 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build docs
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index fdce2d7b28..5cc93cb35c 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -8,6 +8,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   lint: