From ac883316ab062df7a8fc86eca94530052c66e7ad Mon Sep 17 00:00:00 2001
From: Luc Grosheintz <luc.grosheintz@gmail.com>
Date: Sat, 15 Mar 2025 11:25:22 +0100
Subject: [PATCH 1/2] ci: reduce permissions for GITHUB_TOKEN.

---
 .github/workflows/ci.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f6abf88c..87041c20 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,9 @@
 name: Unit Tests
 
+# See, scorecard.dev (Token Permission)
+# https://github.com/ossf/scorecard/blob/a16e0f9eb245274f08512e33dc7afa78d21c460c/docs/checks.md#token-permissions
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}#${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'main' }}

From d12d8ddb5ea953d3e682b7f54ff128c3d800b10e Mon Sep 17 00:00:00 2001
From: Luc Grosheintz <luc.grosheintz@gmail.com>
Date: Sat, 15 Mar 2025 11:57:46 +0100
Subject: [PATCH 2/2] Add permission to the other (easy) cases.

---
 .github/workflows/clang_format.yml        |  2 ++
 .github/workflows/coverage.yml            |  2 ++
 .github/workflows/gh-pages.yml            | 10 +++++-----
 .github/workflows/integration_trigger.yml |  2 ++
 .github/workflows/version_file.yml        |  2 ++
 5 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/clang_format.yml b/.github/workflows/clang_format.yml
index 4ff009c2..81ba6ba4 100644
--- a/.github/workflows/clang_format.yml
+++ b/.github/workflows/clang_format.yml
@@ -1,5 +1,7 @@
 name: ClangFormat
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}#${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index cacdccb7..fbbf2aaf 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -1,5 +1,7 @@
 name: Coverage
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}#${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
index c68b32ca..2a0c2ccb 100644
--- a/.github/workflows/gh-pages.yml
+++ b/.github/workflows/gh-pages.yml
@@ -1,5 +1,10 @@
 name: Documentation
 
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
 on:
   push:
     branches:
@@ -9,11 +14,6 @@ on:
       - v2.x
       - main
 
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
 # Allow only one concurrent deployment
 concurrency:
   group: ${{ github.workflow }}#${{ github.ref }}
diff --git a/.github/workflows/integration_trigger.yml b/.github/workflows/integration_trigger.yml
index 06f57302..5b31cf30 100644
--- a/.github/workflows/integration_trigger.yml
+++ b/.github/workflows/integration_trigger.yml
@@ -1,5 +1,7 @@
 name: Integration Test Trigger
 
+permissions: read-all
+
 on:
   push:
     branches:
diff --git a/.github/workflows/version_file.yml b/.github/workflows/version_file.yml
index 5b7755c6..349787ad 100644
--- a/.github/workflows/version_file.yml
+++ b/.github/workflows/version_file.yml
@@ -1,5 +1,7 @@
 name: HighFive Check Version File
 
+permissions: read-all
+
 on:
   workflow_dispatch:
   push: