From 7c9fdbf5cad4aa8d7f127f25640a7ed5fa73bfa4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=B3bert=20Papp=20=28TWiStErRob=29?=
 <papp.robert.s@gmail.com>
Date: Fri, 2 Feb 2024 09:39:17 +0000
Subject: [PATCH] Explicit permissions for each job

---
 .github/workflows/gradle-dependency-submission.yaml | 8 +++++---
 .github/workflows/merge-check.yml                   | 4 ++++
 .github/workflows/publish-snapshot.yml              | 4 ++++
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/gradle-dependency-submission.yaml b/.github/workflows/gradle-dependency-submission.yaml
index 017647a..2414624 100644
--- a/.github/workflows/gradle-dependency-submission.yaml
+++ b/.github/workflows/gradle-dependency-submission.yaml
@@ -5,12 +5,14 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
-
 jobs:
   dependency-submission:
     runs-on: ubuntu-latest
+
+    permissions:
+      # The Dependency Submission API requires write permission.
+      contents: write
+
     steps:
 
       - name: "Checkout sources"
diff --git a/.github/workflows/merge-check.yml b/.github/workflows/merge-check.yml
index 8452743..7d1ef0e 100644
--- a/.github/workflows/merge-check.yml
+++ b/.github/workflows/merge-check.yml
@@ -17,6 +17,10 @@ jobs:
       matrix:
         os: [ macos-latest, ubuntu-latest ]
     if: ${{ !contains(github.event.head_commit.message, 'ci skip') }}
+
+    permissions:
+      contents: read
+
     steps:
 
       - name: "Checkout sources"
diff --git a/.github/workflows/publish-snapshot.yml b/.github/workflows/publish-snapshot.yml
index 848731a..664370c 100644
--- a/.github/workflows/publish-snapshot.yml
+++ b/.github/workflows/publish-snapshot.yml
@@ -9,6 +9,10 @@ jobs:
   publish:
     name: "Publish to Sonatype"
     runs-on: macos-latest
+
+    permissions:
+      contents: read
+
     steps:
 
       - name: "Checkout sources"