From 0cff8e2356fb68888b035a7232e904097d3fad46 Mon Sep 17 00:00:00 2001
From: Pedro Kaj Kjellerup Nacht <pedro.k.night@gmail.com>
Date: Thu, 14 Sep 2023 20:56:08 -0300
Subject: [PATCH] Set read-only tokens for all workflows (#2075)

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
---
 .github/workflows/actions.yml      | 4 ++++
 .github/workflows/devcontainer.yml | 2 ++
 .github/workflows/release.yml      | 4 ++++
 3 files changed, 10 insertions(+)

diff --git a/.github/workflows/actions.yml b/.github/workflows/actions.yml
index 9c218ce5cc..c02b2e62cb 100644
--- a/.github/workflows/actions.yml
+++ b/.github/workflows/actions.yml
@@ -5,6 +5,10 @@ on:
   pull_request:
   release:
     types: [created]
+
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test the code with tf.keras
diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml
index 72f12471c7..3960bcb278 100644
--- a/.github/workflows/devcontainer.yml
+++ b/.github/workflows/devcontainer.yml
@@ -11,6 +11,8 @@ on: # rebuild any PRs and main branch changes
       - '.devcontainer/**'
       - 'workflows/**'
 
+permissions:
+  contents: read
 
 jobs:
   build:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2ee85c2055..40ba6b1292 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,10 @@ name: Release
 on:
   release:
     types: [published]
+
+permissions:
+  contents: read
+
 jobs:
   deploy-with-custom-ops:
     # This job is currently skipped until we cut a release with custom ops.