From 1691e75e2fa05c6a5a4f76c4ae2b8ca4e4d3aa03 Mon Sep 17 00:00:00 2001
From: Guillaume Vix <gvix@equinor.com>
Date: Tue, 15 Jul 2025 12:36:40 +0200
Subject: [PATCH 1/2] Specify permission in Github actions

---
 .github/workflows/codecov.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
index 5eb3262..20ac056 100644
--- a/.github/workflows/codecov.yml
+++ b/.github/workflows/codecov.yml
@@ -5,6 +5,9 @@ on:
 
 jobs:
   test:
+    permissions:
+      contents: read
+      id-token: write
     name: Run tests and collect coverage
     runs-on: ubuntu-latest
     steps:

From e56c997ba4a071b5eb77803e177ca66b7c14241d Mon Sep 17 00:00:00 2001
From: Guillaume Vix <gvix@equinor.com>
Date: Tue, 15 Jul 2025 14:02:22 +0200
Subject: [PATCH 2/2] Disable top level GitHub token permissions

---
 .github/workflows/codecov.yml | 2 ++
 .github/workflows/publish.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
index 20ac056..0e88719 100644
--- a/.github/workflows/codecov.yml
+++ b/.github/workflows/codecov.yml
@@ -3,6 +3,8 @@ name: Run tests and upload coverage
 on: 
   push
 
+permissions: {}
+
 jobs:
   test:
     permissions:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index c93356a..42db07a 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,6 +5,8 @@ on:
     branches: [main]
     types: [closed]
 
+permissions: {}
+
 jobs:
   publish:
     permissions: