From 80c999cc81ebc73a448fffdd9912eab85ec9b3ce Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Tue, 25 Apr 2023 16:35:39 +0200
Subject: [PATCH] GitHub Workflows security hardening (#6762)

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/main-sonar-check.yml | 4 ++++
 .github/workflows/sonar-check.yml      | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/main-sonar-check.yml b/.github/workflows/main-sonar-check.yml
index 429b0607552..527701debc1 100644
--- a/.github/workflows/main-sonar-check.yml
+++ b/.github/workflows/main-sonar-check.yml
@@ -22,6 +22,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+  pull-requests: write # for sonar to comment on pull-request
+
 jobs:
   build:
     name: Main Sonar JaCoCo Build
diff --git a/.github/workflows/sonar-check.yml b/.github/workflows/sonar-check.yml
index 2bfdaf0a65f..54329bf47b1 100644
--- a/.github/workflows/sonar-check.yml
+++ b/.github/workflows/sonar-check.yml
@@ -26,6 +26,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+  pull-requests: write # for sonar to comment on pull-request
+
 jobs:
   build:
     if: github.repository == 'apache/cloudstack'