From 259b0d255a2e80a3bcb9d6f351a39a44cd1c6a7a Mon Sep 17 00:00:00 2001
From: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>
Date: Fri, 6 Jan 2023 16:50:52 +0900
Subject: [PATCH] ci: remove contents: read

---
 .github/workflows/actionlint.yaml                | 3 +--
 .github/workflows/integration-test.yaml          | 3 +--
 .github/workflows/release.yaml                   | 7 ++++---
 .github/workflows/renovate-config-validator.yaml | 3 +--
 .github/workflows/test.yaml                      | 3 +--
 5 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml
index 756d65a12..9663678df 100644
--- a/.github/workflows/actionlint.yaml
+++ b/.github/workflows/actionlint.yaml
@@ -11,8 +11,7 @@ on:
     branches: [main]
     paths:
     - .github/**
-permissions:
-  contents: read
+permissions: {}
 jobs:
   default:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml
index 1930dfefc..50a81a2d7 100644
--- a/.github/workflows/integration-test.yaml
+++ b/.github/workflows/integration-test.yaml
@@ -11,8 +11,7 @@ env:
   AQUA_LOG_LEVEL: debug
   AQUA_LOG_COLOR: always
   AQUA_POLICY_CONFIG: ${{ github.workspace }}/aqua-policy.yaml
-permissions:
-  contents: read
+permissions: {}
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 3d441ee5e..41cb3922d 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -3,9 +3,7 @@ name: Release
 on:
   push:
     tags: [v*]
-permissions:
-  contents: write # required to create a release
-  id-token: write # required for cosign
+permissions: {}
 env:
   AQUA_POLICY_CONFIG: ${{ github.workspace }}/aqua-policy.yaml
 jobs:
@@ -13,6 +11,9 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
+    permissions:
+      contents: write # required to create a release
+      id-token: write # required for cosign
     steps:
       - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
diff --git a/.github/workflows/renovate-config-validator.yaml b/.github/workflows/renovate-config-validator.yaml
index 8871dbd31..68ed32b4c 100644
--- a/.github/workflows/renovate-config-validator.yaml
+++ b/.github/workflows/renovate-config-validator.yaml
@@ -1,7 +1,6 @@
 name: renovate-config-validator
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   pull_request:
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 7256ecffd..bea6949d0 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -7,8 +7,7 @@ on:
     branches: [main]
   pull_request:
     branches: [main]
-permissions:
-  contents: read
+permissions: {}
 jobs:
   build:
     runs-on: ubuntu-latest