From f4f73bcadcfd59ab4516fa261a850ff704a9543d Mon Sep 17 00:00:00 2001
From: Archi <JustArchi@JustArchi.net>
Date: Sun, 19 Nov 2023 19:33:42 +0100
Subject: [PATCH] Apply CI permissions

---
 .github/workflows/ci.yml                      |  2 ++
 .github/workflows/code-quality.yml            | 12 ++++++------
 .github/workflows/docker-ci.yml               |  2 ++
 .github/workflows/docker-publish-latest.yml   |  3 +++
 .github/workflows/docker-publish-main.yml     |  3 +++
 .github/workflows/docker-publish-released.yml |  3 +++
 .github/workflows/publish.yml                 | 11 +++++++----
 .github/workflows/translations.yml            |  3 +++
 8 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7d03972fe75d3..ff3091d481bee 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,8 @@ env:
   DOTNET_NOLOGO: true
   DOTNET_SDK_VERSION: 8.0
 
+permissions: {}
+
 jobs:
   main:
     strategy:
diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
index 9cfe0971d10e4..d6b62ea48b405 100644
--- a/.github/workflows/code-quality.yml
+++ b/.github/workflows/code-quality.yml
@@ -6,17 +6,17 @@ env:
   DOTNET_CLI_TELEMETRY_OPTOUT: true
   DOTNET_NOLOGO: true
 
+permissions:
+  checks: write
+  contents: write
+  pull-requests: write
+  security-events: write
+
 jobs:
   main:
     if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
 
-    permissions:
-      checks: write
-      contents: write
-      pull-requests: write
-      security-events: write
-
     steps:
     - name: Checkout code
       if: github.event_name != 'pull_request'
diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml
index d2576d29bf917..189ff3e045f57 100644
--- a/.github/workflows/docker-ci.yml
+++ b/.github/workflows/docker-ci.yml
@@ -5,6 +5,8 @@ on: [push, pull_request]
 env:
   PLATFORMS: linux/amd64,linux/arm,linux/arm64
 
+permissions: {}
+
 jobs:
   main:
     strategy:
diff --git a/.github/workflows/docker-publish-latest.yml b/.github/workflows/docker-publish-latest.yml
index f57e03ee03421..1073ab42e8b32 100644
--- a/.github/workflows/docker-publish-latest.yml
+++ b/.github/workflows/docker-publish-latest.yml
@@ -9,6 +9,9 @@ env:
   PLATFORMS: linux/amd64,linux/arm,linux/arm64
   TAG: latest
 
+permissions:
+  packages: write
+
 jobs:
   main:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docker-publish-main.yml b/.github/workflows/docker-publish-main.yml
index 2f11175cb31df..025738882640b 100644
--- a/.github/workflows/docker-publish-main.yml
+++ b/.github/workflows/docker-publish-main.yml
@@ -10,6 +10,9 @@ env:
   PLATFORMS: linux/amd64,linux/arm,linux/arm64
   TAG: main
 
+permissions:
+  packages: write
+
 jobs:
   main:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docker-publish-released.yml b/.github/workflows/docker-publish-released.yml
index 1904c5ad0b148..76e87f35781e0 100644
--- a/.github/workflows/docker-publish-released.yml
+++ b/.github/workflows/docker-publish-released.yml
@@ -10,6 +10,9 @@ env:
   PLATFORMS: linux/amd64,linux/arm,linux/arm64
   TAG: released
 
+permissions:
+  packages: write
+
 jobs:
   main:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a07f147d598bb..cca63e6273139 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,10 +4,14 @@ on: [push, pull_request]
 
 env:
   CONFIGURATION: Release
+  DOTNET_CLI_TELEMETRY_OPTOUT: true
+  DOTNET_NOLOGO: true
   DOTNET_SDK_VERSION: 8.0
   NODE_JS_VERSION: 'lts/*'
   PLUGINS: ArchiSteamFarm.OfficialPlugins.ItemsMatcher ArchiSteamFarm.OfficialPlugins.MobileAuthenticator ArchiSteamFarm.OfficialPlugins.SteamTokenDumper
 
+permissions: {}
+
 jobs:
   publish-asf-ui:
     runs-on: ubuntu-latest
@@ -69,10 +73,6 @@ jobs:
 
     runs-on: ${{ matrix.os }}
 
-    env:
-      DOTNET_CLI_TELEMETRY_OPTOUT: true
-      DOTNET_NOLOGO: true
-
     steps:
     - name: Checkout code
       uses: actions/checkout@v4.1.1
@@ -406,6 +406,9 @@ jobs:
     needs: publish-asf
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
     steps:
     - name: Checkout code
       uses: actions/checkout@v4.1.1
diff --git a/.github/workflows/translations.yml b/.github/workflows/translations.yml
index 4719ffecb8e71..c8e2bc574593e 100644
--- a/.github/workflows/translations.yml
+++ b/.github/workflows/translations.yml
@@ -4,6 +4,9 @@ on:
   schedule:
   - cron: '55 1 * * *'
 
+permissions:
+  contents: write
+
 jobs:
   update:
     runs-on: ubuntu-latest