From 4c2d5e7f7d4a8cf373ca27a78f2b25a9d6d038af Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sun, 25 Sep 2022 23:17:38 +0200
Subject: [PATCH 1/2] build: harden benchmark.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/benchmark.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 397224dce01..63cc6d26596 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -8,6 +8,9 @@ on:
   pull_request: {}
   workflow_dispatch: {}
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   federation-benchmark:
     name: Federation Benchmark with ${{matrix.products_size}} Products

From 54299b1809322a1e9b3251060aa4f705c35ed811 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sun, 25 Sep 2022 23:19:07 +0200
Subject: [PATCH 2/2] build: harden release.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/release.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index acaa427aa74..1c1aa4ddefc 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,8 +4,12 @@ on:
     branches:
       - master
 
+permissions: {}
 jobs:
   stable:
+    permissions:
+      contents: write # to create release
+
     uses: the-guild-org/shared-config/.github/workflows/release-stable.yml@main
     with:
       releaseScript: release