From d81b1ef82b53b2888b737d44ffbb7816b7ee98ae Mon Sep 17 00:00:00 2001
From: Slawomir Jaranowski <s.jaranowski@gmail.com>
Date: Tue, 9 Jan 2024 22:26:22 +0100
Subject: [PATCH] Restrict permissions to GITHUB_TOKEN

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
https://github.com/release-drafter/release-drafter
---
 .github/workflows/maven-verify.yml    | 3 +++
 .github/workflows/release-drafter.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/maven-verify.yml b/.github/workflows/maven-verify.yml
index 54ab782..8a48238 100644
--- a/.github/workflows/maven-verify.yml
+++ b/.github/workflows/maven-verify.yml
@@ -157,6 +157,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# clare all permissions for GITHUB_TOKEN
+permissions: {}
+
 jobs:
 
   # verify build on one node - before matrix will start
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index bfbcd66..7af2a67 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -23,6 +23,9 @@ on:
 
 jobs:
   update_release_draft:
+    permissions:
+      # write permission is required to create a github release
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - uses: release-drafter/release-drafter@v5