From 419a7819d310cde77172a99ddd4616adf8c24376 Mon Sep 17 00:00:00 2001
From: CoolCat467 <52022020+CoolCat467@users.noreply.github.com>
Date: Mon, 20 Jan 2025 18:26:09 -0600
Subject: [PATCH] Don't use default permissions (zizmor)

---
 .github/workflows/check-newsfragment.yml | 2 ++
 .github/workflows/ci.yml                 | 2 ++
 .github/workflows/release.yml            | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/.github/workflows/check-newsfragment.yml b/.github/workflows/check-newsfragment.yml
index 524dcd440..5acbf4d59 100644
--- a/.github/workflows/check-newsfragment.yml
+++ b/.github/workflows/check-newsfragment.yml
@@ -1,5 +1,7 @@
 name: Check newsfragment
 
+permissions: {}
+
 on:
   pull_request:
     types: [labeled, unlabeled, opened, synchronize]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 47a2c1d7d..a4489e609 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,7 @@
 name: CI
 
+permissions: {}
+
 on:
   push:
     branches-ignore:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bbd2e9776..2efc31d9e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,8 @@ on:
     tags:
       - v*
 
+permissions: {}
+
 # a lot of code taken from https://github.com/pypa/cibuildwheel/blob/main/examples/github-deploy.yml
 jobs:
   build: