From c612a3bf6074cf6cd2161a970d3e7d670344b0cf Mon Sep 17 00:00:00 2001
From: Otto Winter <otto@otto-winter.com>
Date: Tue, 26 Oct 2021 10:55:27 +0200
Subject: [PATCH] Constrain GH Actions workflows permissions (#2625)

---
 .github/workflows/ci-docker.yml | 4 ++++
 .github/workflows/ci.yml        | 3 +++
 .github/workflows/release.yml   | 9 +++++++++
 3 files changed, 16 insertions(+)

diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml
index 12f5a7dfc2..1d1cc169b2 100644
--- a/.github/workflows/ci-docker.yml
+++ b/.github/workflows/ci-docker.yml
@@ -17,6 +17,10 @@ on:
       - 'requirements*.txt'
       - 'platformio.ini'
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   check-docker:
     name: Build docker containers
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 45e2f2735c..02b64d2bf5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,9 @@ on:
 
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   ci:
     name: ${{ matrix.name }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index afd893d065..d6895becc0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ on:
   schedule:
     - cron: "0 2 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   init:
     name: Initialize build
@@ -52,6 +55,9 @@ jobs:
   deploy-docker:
     name: Build and publish docker containers
     if: github.repository == 'esphome/esphome'
+    permissions:
+      contents: read
+      packages: write
     runs-on: ubuntu-latest
     needs: [init]
     strategy:
@@ -93,6 +99,9 @@ jobs:
 
   deploy-docker-manifest:
     if: github.repository == 'esphome/esphome'
+    permissions:
+      contents: read
+      packages: write
     runs-on: ubuntu-latest
     needs: [init, deploy-docker]
     strategy: