From aa98d5f30eb51d81d653eee58d4ba6e06ead9a67 Mon Sep 17 00:00:00 2001
From: Lucas Girouard-Stranks <519592+lithiumtoast@users.noreply.github.com>
Date: Sat, 11 Jan 2025 10:28:25 -0500
Subject: [PATCH] Fix security GitHub Action workflow security issues (#41)

---
 .github/workflows/main.yml    | 2 ++
 .github/workflows/release.yml | 5 ++++-
 .github/workflows/test.yml    | 2 ++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index eb4aeaf..743a09a 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,4 +1,6 @@
 name: "Main"
+permissions:
+  contents: read
 
 on:
   workflow_dispatch:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a15a1dc..5940cf5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,4 +1,7 @@
 name: "Release"
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
     inputs:
@@ -66,7 +69,7 @@ jobs:
         run: dotnet nuget push "./nupkg/**/*.nupkg" --source https://api.nuget.org/v3/index.json --skip-duplicate --api-key $NUGET_ACCESS_TOKEN
 
       - name: "Create tag and GitHub release"
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@c43d7637b9b9ce3e953168c325d27253a5d48d8e # v2.2.1
         if: github.event_name == 'schedule' || github.event.inputs.pre-release == 'false'
         with:
           generate_release_notes: true
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f753dff..405041e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,4 +1,6 @@
 name: "Test .NET solution"
+permissions:
+  contents: read
 
 on:
   workflow_call: