From 1f8d89be689d6637c72863b6808ff415b5bc6bbc Mon Sep 17 00:00:00 2001
From: jonathanmetzman <31354670+jonathanmetzman@users.noreply.github.com>
Date: Wed, 23 Mar 2022 16:09:50 -0400
Subject: [PATCH] Fix permissions on Github Actions jobs (#7430)

Related: #7425
---
 .github/workflows/infra_tests.yml   | 7 ++++++-
 .github/workflows/presubmit.yml     | 6 +++++-
 .github/workflows/project_tests.yml | 5 +++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/infra_tests.yml b/.github/workflows/infra_tests.yml
index 22bb98583..63919c2e8 100644
--- a/.github/workflows/infra_tests.yml
+++ b/.github/workflows/infra_tests.yml
@@ -1,4 +1,8 @@
 name: Infra tests
+
+permissions:
+  contents: read
+
 on:
   pull_request:
     paths:
@@ -8,7 +12,8 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
-
+    permissions:
+      actions: write
     steps:
       - name: Cancel previous
         uses: styfle/cancel-workflow-action@0.8.0
diff --git a/.github/workflows/presubmit.yml b/.github/workflows/presubmit.yml
index 1e80301ab..d24e34ff8 100644
--- a/.github/workflows/presubmit.yml
+++ b/.github/workflows/presubmit.yml
@@ -1,5 +1,8 @@
 name: Presubmit checks
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:
@@ -8,7 +11,8 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
-
+    permissions:
+      actions: write
     steps:
       - name: Cancel previous
         uses: styfle/cancel-workflow-action@0.8.0
diff --git a/.github/workflows/project_tests.yml b/.github/workflows/project_tests.yml
index 4d5e4f02a..aba4d527c 100644
--- a/.github/workflows/project_tests.yml
+++ b/.github/workflows/project_tests.yml
@@ -1,5 +1,8 @@
 name: Project tests
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:
@@ -8,6 +11,8 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     strategy:
       fail-fast: false
       matrix: