From bd6bf9315a770d73d7f9374fb600b4acdbab591d Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Fri, 23 Sep 2022 22:51:33 +0200
Subject: [PATCH 1/2] build: harden linters.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/linters.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
index 9dbee1eede..adabb59404 100644
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -1,5 +1,7 @@
 name: Linters
 on: [push, pull_request]
+permissions:
+  contents: read # to fetch code (actions/checkout)
 jobs:
   rubocop:
     name: runner / rubocop

From 8ce82a9ad67a3a494431a6dae7213b22367513a8 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Fri, 23 Sep 2022 22:52:16 +0200
Subject: [PATCH 2/2] build: harden mapi.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/mapi.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/mapi.yml b/.github/workflows/mapi.yml
index d26d4fc9fa..bc4c43b6dc 100644
--- a/.github/workflows/mapi.yml
+++ b/.github/workflows/mapi.yml
@@ -1,7 +1,12 @@
 name: 'Mayhem for API'
 on: workflow_dispatch
+permissions:
+  contents: read # to fetch code (actions/checkout)
 jobs:
   test:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      security-events: write # to upload SARIF results (github/codeql-action/upload-sarif)
     if: ${{ github.repository_owner == 'openfoodfoundation' }}
     runs-on: ubuntu-latest
     strategy: