From 945129915a9ea76791b74dd9a7674e76b7d4289b Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Wed, 12 Mar 2025 18:29:50 -0700
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#229)

---
 .github/workflows/ci.yml      | 3 +++
 .github/workflows/publish.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 710b256..587b776 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index db4ce3d..b940398 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,6 +5,9 @@ on:
     types: [created]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   release-build:
     runs-on: ubuntu-latest