From 947bc2c4147ca40fdfe6bbf6b7076690f3e6cd2c Mon Sep 17 00:00:00 2001
From: Steve Boyd <emteknetnz@gmail.com>
Date: Tue, 14 May 2024 11:59:19 +1200
Subject: [PATCH] ENH Add workflow permissions

---
 scripts/cms-any/auto-tag.php    | 5 +++++
 scripts/cms-any/dispatch-ci.php | 5 +++++
 scripts/cms-any/keepalive.php   | 4 ++++
 scripts/cms-any/merge-ups.php   | 5 +++++
 scripts/cms-any/update-js.php   | 6 ++++++
 5 files changed, 25 insertions(+)

diff --git a/scripts/cms-any/auto-tag.php b/scripts/cms-any/auto-tag.php
index bfb0476..8ade351 100644
--- a/scripts/cms-any/auto-tag.php
+++ b/scripts/cms-any/auto-tag.php
@@ -7,10 +7,15 @@
     tags:
       - '*.*.*'
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   auto-tag:
     name: Auto-tag
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Auto-tag
         uses: silverstripe/gha-auto-tag@v1
diff --git a/scripts/cms-any/dispatch-ci.php b/scripts/cms-any/dispatch-ci.php
index 4568050..41e2450 100644
--- a/scripts/cms-any/dispatch-ci.php
+++ b/scripts/cms-any/dispatch-ci.php
@@ -21,12 +21,17 @@
   schedule:
     - cron: '$cron'
 
+permissions: {}
+
 jobs:
   dispatch-ci:
     name: Dispatch CI
     # Only run cron on the $account account
     if: (github.event_name == 'schedule' && github.repository_owner == '$account') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     steps:
       - name: Dispatch CI
         uses: silverstripe/gha-dispatch-ci@v1
diff --git a/scripts/cms-any/keepalive.php b/scripts/cms-any/keepalive.php
index 55265ac..8abc615 100644
--- a/scripts/cms-any/keepalive.php
+++ b/scripts/cms-any/keepalive.php
@@ -20,12 +20,16 @@
     - cron: '$cron'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   keepalive:
     name: Keepalive
     # Only run cron on the $account account
     if: (github.event_name == 'schedule' && github.repository_owner == '$account') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - name: Keepalive
         uses: silverstripe/gha-keepalive@v1
diff --git a/scripts/cms-any/merge-ups.php b/scripts/cms-any/merge-ups.php
index 9c1e31d..817ceb3 100644
--- a/scripts/cms-any/merge-ups.php
+++ b/scripts/cms-any/merge-ups.php
@@ -38,12 +38,17 @@
     - cron: '$cron'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   merge-up:
     name: Merge-up
     # Only run cron on the $account account
     if: (github.event_name == 'schedule' && github.repository_owner == '$account') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      actions: write
     steps:
       - name: Merge-up
         uses: silverstripe/gha-merge-up@v1
diff --git a/scripts/cms-any/update-js.php b/scripts/cms-any/update-js.php
index ad865c3..9f9cb82 100644
--- a/scripts/cms-any/update-js.php
+++ b/scripts/cms-any/update-js.php
@@ -17,12 +17,18 @@
   schedule:
     - cron: '$runOnMinute $runOnHour $runOnDay */3 *'
 
+permissions: {}
+
 jobs:
   update-js:
     name: Update JS
     # Only run cron on the $account account
     if: (github.event_name == 'schedule' && github.repository_owner == '$account') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-request: write
+      actions: write
     steps:
       - name: Update JS
         uses: silverstripe/gha-update-js@v1