From b56a244adb7104ae4ec92e2b2634535871aab16f Mon Sep 17 00:00:00 2001
From: marvinfriede <51965259+marvinfriede@users.noreply.github.com>
Date: Tue, 21 Jan 2025 09:25:02 +0100
Subject: [PATCH] Remove excessive permissions in GA

---
 .github/workflows/macos-arm.yaml |  3 +++
 .github/workflows/macos-x86.yaml |  3 +++
 .github/workflows/release.yaml   | 18 ++++++++++++++++++
 .github/workflows/ubuntu.yaml    |  3 +++
 .github/workflows/windows.yaml   |  3 +++
 5 files changed, 30 insertions(+)

diff --git a/.github/workflows/macos-arm.yaml b/.github/workflows/macos-arm.yaml
index f785470..8bbf73f 100644
--- a/.github/workflows/macos-arm.yaml
+++ b/.github/workflows/macos-arm.yaml
@@ -64,6 +64,9 @@ jobs:
           - python-version: "3.11"
             torch-version: "1.13.1"
 
+    permissions:
+      contents: read
+
     runs-on: ${{ matrix.os }}
 
     defaults:
diff --git a/.github/workflows/macos-x86.yaml b/.github/workflows/macos-x86.yaml
index 5aa3799..8181253 100644
--- a/.github/workflows/macos-x86.yaml
+++ b/.github/workflows/macos-x86.yaml
@@ -75,6 +75,9 @@ jobs:
           - python-version: "3.11"
             torch-version: "1.13.1"
 
+    permissions:
+      contents: read
+
     runs-on: ${{ matrix.os }}
 
     defaults:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 6f996b3..7948e89 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -29,7 +29,11 @@ on:
 
 jobs:
   wheel:
+    permissions:
+      contents: read
+
     runs-on: ubuntu-latest
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -45,7 +49,11 @@ jobs:
           path: dist/*.whl
 
   sdist:
+    permissions:
+      contents: read
+
     runs-on: ubuntu-latest
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -62,10 +70,15 @@ jobs:
 
   upload_test_pypi:
     needs: [sdist, wheel]
+
     runs-on: ubuntu-latest
+
     environment: release
+
     permissions:
+      contents: read
       id-token: write
+
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     steps:
       - name: Download build artifacts
@@ -81,10 +94,15 @@ jobs:
 
   upload_pypi:
     needs: [sdist, wheel, upload_test_pypi]
+
     runs-on: ubuntu-latest
+
     environment: release
+
     permissions:
+      contents: read
       id-token: write
+
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     steps:
       - name: Download build artifacts
diff --git a/.github/workflows/ubuntu.yaml b/.github/workflows/ubuntu.yaml
index 1f8d91f..97a1e13 100644
--- a/.github/workflows/ubuntu.yaml
+++ b/.github/workflows/ubuntu.yaml
@@ -83,6 +83,9 @@ jobs:
 
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      contents: read
+
     defaults:
       run:
         shell: bash {0}
diff --git a/.github/workflows/windows.yaml b/.github/workflows/windows.yaml
index e6cd6a6..4737dda 100644
--- a/.github/workflows/windows.yaml
+++ b/.github/workflows/windows.yaml
@@ -73,6 +73,9 @@ jobs:
           - python-version: "3.8"
             torch-version: "2.5.1"
 
+    permissions:
+      contents: read
+
     runs-on: ${{ matrix.os }}
 
     defaults: