From 7e218bef8b7b277375c77b16d30b7ec61ae4e5f6 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Fri, 23 Sep 2022 13:22:49 +0200
Subject: [PATCH] build: harden conan-package.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/conan-package.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/conan-package.yml b/.github/workflows/conan-package.yml
index d7f4557b81..ce9d9998eb 100644
--- a/.github/workflows/conan-package.yml
+++ b/.github/workflows/conan-package.yml
@@ -47,13 +47,20 @@ on:
             - '[1-9].[0-9].[0-9]+'
             - '[1-9].[0-9][0-9].[0-9]+'
 
+permissions: {}
 jobs:
     conan-recipe-version:
+        permissions:
+          contents: read
+
         uses: ultimaker/cura/.github/workflows/conan-recipe-version.yml@main
         with:
             project_name: cura
 
     conan-package-export:
+        permissions:
+          contents: read
+
         needs: [ conan-recipe-version ]
         uses: ultimaker/cura/.github/workflows/conan-recipe-export.yml@main
         with:
@@ -65,6 +72,9 @@ jobs:
         secrets: inherit
 
     conan-package-create-linux:
+        permissions:
+          contents: read
+
         if: ${{ (github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'master' || needs.conan-recipe-version.outputs.is_release_branch == 'true')) || (github.event_name == 'workflow_dispatch' && inputs.create_binaries_linux) }}
         needs: [ conan-recipe-version, conan-package-export ]