From 90bdd29fb67e9ffc13384b9b8ce19b76b789efc2 Mon Sep 17 00:00:00 2001
From: Elias Schneider <login@eliasschneider.com>
Date: Wed, 7 May 2025 16:48:18 +0200
Subject: [PATCH] ci/cd: add explicit permissions to actions

---
 .github/workflows/e2e-tests.yml  | 9 +++++++++
 .github/workflows/unit-tests.yml | 7 +++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
index 054307cf..0d32642f 100644
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -17,6 +17,9 @@ jobs:
   build:
     if: github.event.pull_request.head.ref != 'i18n_crowdin'
     timeout-minutes: 20
+    permissions:
+      contents: read
+      actions: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -44,6 +47,9 @@ jobs:
 
   test-sqlite:
     if: github.event.pull_request.head.ref != 'i18n_crowdin'
+    permissions:
+      contents: read
+      actions: write
     runs-on: ubuntu-latest
     needs: build
     steps:
@@ -140,6 +146,9 @@ jobs:
 
   test-postgres:
     if: github.event.pull_request.head.ref != 'i18n_crowdin'
+    permissions:
+      contents: read
+      actions: write
     runs-on: ubuntu-latest
     needs: build
     steps:
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index a5c66e28..a62ddb62 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -11,13 +11,16 @@ on:
 
 jobs:
   test-backend:
+    permissions:
+      contents: read
+      actions: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version-file: 'backend/go.mod'
-          cache-dependency-path: 'backend/go.sum'
+          go-version-file: "backend/go.mod"
+          cache-dependency-path: "backend/go.sum"
       - name: Install dependencies
         working-directory: backend
         run: |