From 42cd129b7b6ded0365886d22120f4b045b80f05f Mon Sep 17 00:00:00 2001
From: Matthew Feickert <matthew.feickert@cern.ch>
Date: Sat, 25 May 2024 14:52:01 -0500
Subject: [PATCH] ci: Restrict content permissions to harden GitHub Actions
 (#2484)

* Restrict content permissions to read. At the moment there are no
  steps to the changed workflows that use tokens, and so this is
  preventative if this ever changes.
* Give packages write permissions to publish to ghcr.
   - Amends PR https://github.com/scikit-hep/pyhf/pull/2483.
---
 .github/workflows/docker.yml | 3 +++
 .github/workflows/docs.yml   | 3 +++
 .github/workflows/lint.yml   | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 578377650b..e71ac7f1ce 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -25,6 +25,9 @@ permissions:
 jobs:
   docker:
     name: Build, test, and publish Docker images to Docker Hub
+    permissions:
+      contents: read
+      packages: write  # for docker to push to registry
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 0bb1bc4315..81e9cd38e5 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build docs
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index fdce2d7b28..5cc93cb35c 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -8,6 +8,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   lint: