From 2f4bf9cd62a11f3ae241c38b3f2543a25f7b341c Mon Sep 17 00:00:00 2001
From: Stephen Morgan <stephen@doublethink.co.nz>
Date: Mon, 7 Apr 2025 16:11:59 +1200
Subject: [PATCH 1/2] ci: explicit permission in GH actions

---
 .github/workflows/audit.yml   | 4 ++++
 .github/workflows/general.yml | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index a7fbd25..f79139f 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -7,6 +7,10 @@ on:
     paths:
       - "**/Cargo.toml"
       - "**/Cargo.lock"
+
+permissions:
+  contents: read
+
 jobs:
   security_audit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/general.yml b/.github/workflows/general.yml
index 2877f96..9372e04 100644
--- a/.github/workflows/general.yml
+++ b/.github/workflows/general.yml
@@ -6,6 +6,9 @@ on: [push, pull_request]
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+
 jobs:
   fmt:
     name: Rustfmt

From f4a85379b45cf0fcf87252dd3ab434669256f0d5 Mon Sep 17 00:00:00 2001
From: Stephen Morgan <stephen@doublethink.co.nz>
Date: Mon, 7 Apr 2025 16:39:14 +1200
Subject: [PATCH 2/2] ci: additional GH Token permissions in test

---
 .github/workflows/general.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/general.yml b/.github/workflows/general.yml
index 9372e04..fe75826 100644
--- a/.github/workflows/general.yml
+++ b/.github/workflows/general.yml
@@ -36,6 +36,9 @@ jobs:
   coverage:
     name: Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     services:
       postgres:
         image: postgres:15