From e8befbf5f39f0bd2e5a967156bb301f83f4a4cec Mon Sep 17 00:00:00 2001
From: Steffen Winter <steffen.winter@proton.me>
Date: Thu, 26 Mar 2026 22:29:58 +0100
Subject: [PATCH] ci: require as little permissions as possible

---
 .github/workflows/cmake-freebsd.yml            | 2 ++
 .github/workflows/cmake-linux.yml              | 2 ++
 .github/workflows/cmake-macos.yml              | 2 ++
 .github/workflows/cmake-netbsd.yml             | 2 ++
 .github/workflows/cmake-openbsd.yml            | 2 ++
 .github/workflows/continuous-build-freebsd.yml | 2 ++
 .github/workflows/continuous-build-gpu.yml     | 2 ++
 .github/workflows/continuous-build-linux.yml   | 2 ++
 .github/workflows/continuous-build-macos.yml   | 2 ++
 .github/workflows/continuous-build-netbsd.yml  | 2 ++
 .github/workflows/continuous-build-openbsd.yml | 2 ++
 .github/workflows/test-snap-can-build.yml      | 3 +++
 12 files changed, 25 insertions(+)

diff --git a/.github/workflows/cmake-freebsd.yml b/.github/workflows/cmake-freebsd.yml
index c61779df..71179ee9 100644
--- a/.github/workflows/cmake-freebsd.yml
+++ b/.github/workflows/cmake-freebsd.yml
@@ -1,5 +1,7 @@
 name: FreeBSD CMake
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/cmake-linux.yml b/.github/workflows/cmake-linux.yml
index d1ff398c..c95f554c 100644
--- a/.github/workflows/cmake-linux.yml
+++ b/.github/workflows/cmake-linux.yml
@@ -1,5 +1,7 @@
 name: Linux CMake
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/cmake-macos.yml b/.github/workflows/cmake-macos.yml
index a67c3529..93a75b19 100644
--- a/.github/workflows/cmake-macos.yml
+++ b/.github/workflows/cmake-macos.yml
@@ -1,5 +1,7 @@
 name: macOS CMake
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/cmake-netbsd.yml b/.github/workflows/cmake-netbsd.yml
index 2e4fd0d8..82aa453b 100644
--- a/.github/workflows/cmake-netbsd.yml
+++ b/.github/workflows/cmake-netbsd.yml
@@ -1,5 +1,7 @@
 name: NetBSD CMake
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/cmake-openbsd.yml b/.github/workflows/cmake-openbsd.yml
index e302f028..18fbd598 100644
--- a/.github/workflows/cmake-openbsd.yml
+++ b/.github/workflows/cmake-openbsd.yml
@@ -1,5 +1,7 @@
 name: OpenBSD CMake
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/continuous-build-freebsd.yml b/.github/workflows/continuous-build-freebsd.yml
index 7ba2f1c9..f3c5ec02 100644
--- a/.github/workflows/continuous-build-freebsd.yml
+++ b/.github/workflows/continuous-build-freebsd.yml
@@ -1,5 +1,7 @@
 name: Continuous Build FreeBSD
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/continuous-build-gpu.yml b/.github/workflows/continuous-build-gpu.yml
index da0a56ed..0d83b148 100644
--- a/.github/workflows/continuous-build-gpu.yml
+++ b/.github/workflows/continuous-build-gpu.yml
@@ -1,5 +1,7 @@
 name: Continuous Build Gpu
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/continuous-build-linux.yml b/.github/workflows/continuous-build-linux.yml
index 9fca56fc..c67d915e 100644
--- a/.github/workflows/continuous-build-linux.yml
+++ b/.github/workflows/continuous-build-linux.yml
@@ -1,5 +1,7 @@
 name: Continuous Build Linux
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/continuous-build-macos.yml b/.github/workflows/continuous-build-macos.yml
index 1e94d4c6..6fae8c44 100644
--- a/.github/workflows/continuous-build-macos.yml
+++ b/.github/workflows/continuous-build-macos.yml
@@ -1,5 +1,7 @@
 name: Continuous Build MacOS
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/continuous-build-netbsd.yml b/.github/workflows/continuous-build-netbsd.yml
index 7985199e..1e54680f 100644
--- a/.github/workflows/continuous-build-netbsd.yml
+++ b/.github/workflows/continuous-build-netbsd.yml
@@ -1,5 +1,7 @@
 name: Continuous Build NetBSD
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/continuous-build-openbsd.yml b/.github/workflows/continuous-build-openbsd.yml
index 4decbc9c..d0ccb8cf 100644
--- a/.github/workflows/continuous-build-openbsd.yml
+++ b/.github/workflows/continuous-build-openbsd.yml
@@ -1,5 +1,7 @@
 name: Continuous Build OpenBSD
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/test-snap-can-build.yml b/.github/workflows/test-snap-can-build.yml
index 7775ca5d..d734a31d 100644
--- a/.github/workflows/test-snap-can-build.yml
+++ b/.github/workflows/test-snap-can-build.yml
@@ -1,4 +1,7 @@
 name: 🧪 Test snap can be built on x86_64
+
+permissions: {}
+
 on:
   workflow_dispatch:
   push: