From 8ba7d280a9d79ee61dd65dc873273892ab294cff Mon Sep 17 00:00:00 2001
From: Diogo Teles Sant'Anna <diogoteles@google.com>
Date: Thu, 2 Mar 2023 12:25:43 -0300
Subject: [PATCH] CI: define read-only permission for GitHub Workflow

It secures the repo against erroneous or malicious actions from external jobs you call from your workflow. It's specially important for the case they get compromised, for example.
---
 .github/workflows/build.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 581c559..cf06817 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,6 +5,7 @@ on:
   pull_request:
     branches: [ master ]
   workflow_dispatch:
+permissions: read-all
 jobs:
   cmake-build:
       strategy: