From 7e298c96827d6fa17b14fc31fe3ecb552038c0bb Mon Sep 17 00:00:00 2001
From: Diogo Teles Sant'Anna <diogoteles@google.com>
Date: Thu, 15 Jun 2023 19:47:57 -0300
Subject: [PATCH 1/2] ci: define minimal permissions for GitHub workflows

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
---
 .github/workflows/daily-build.yml | 5 +++++
 .github/workflows/h5py.yml        | 3 +++
 .github/workflows/netcdf.yml      | 3 +++
 .github/workflows/release.yml     | 4 ++++
 4 files changed, 15 insertions(+)

diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml
index 265a6c330c6..ec35e104a94 100644
--- a/.github/workflows/daily-build.yml
+++ b/.github/workflows/daily-build.yml
@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "6 0 * * *"
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or
 # in parallel.
 jobs:
@@ -21,6 +24,8 @@ jobs:
 
   call-workflow-release:
     needs: [call-workflow-tarball, call-workflow-ctest]
+    permissions:
+      contents: write # In order to allow tag creation
     uses: ./.github/workflows/release.yml
     with:
       file_base: ${{ needs.call-workflow-tarball.outputs.file_base }}
diff --git a/.github/workflows/h5py.yml b/.github/workflows/h5py.yml
index fb82dc15645..63531ed5ff6 100644
--- a/.github/workflows/h5py.yml
+++ b/.github/workflows/h5py.yml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: "6 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/netcdf.yml b/.github/workflows/netcdf.yml
index 137e5e55c6e..37041d6966e 100644
--- a/.github/workflows/netcdf.yml
+++ b/.github/workflows/netcdf.yml
@@ -14,6 +14,9 @@ on:
       - 'COPYING**'
       - '**.md'
 
+permissions:
+  contents: read
+
 # Using concurrency to cancel any in-progress job or run
 concurrency:
   group: ${{ github.workflow }}-${{ github.sha || github.event.pull_request.number }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ae5843431ce..bc7234d1f42 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,6 +17,10 @@ on:
         required: true
         type: string
 
+# Minimal permissions to be inherited by any job that don't declare it's own permissions
+permissions:
+  contents: read
+
 # Previous workflows must pass to get here so tag the commit that created the files
 jobs:
   create-tag:

From d71f1fedd31dd34e94b1d0b17f28f0c37d92e9c6 Mon Sep 17 00:00:00 2001
From: Dana Robinson <43805+derobins@users.noreply.github.com>
Date: Fri, 16 Jun 2023 07:32:29 -0700
Subject: [PATCH 2/2] Update .github/workflows/release.yml

Co-authored-by: Larry Knox <lrknox@hdfgroup.org>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bc7234d1f42..e79dfd26015 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,7 +17,7 @@ on:
         required: true
         type: string
 
-# Minimal permissions to be inherited by any job that don't declare it's own permissions
+# Minimal permissions to be inherited by any job that doesn't declare its own permissions
 permissions:
   contents: read