From 734787952d30defbe0894e503a5073344aca3299 Mon Sep 17 00:00:00 2001
From: Stephen Morgan <stephen@doublethink.co.nz>
Date: Fri, 11 Apr 2025 10:10:57 +1200
Subject: [PATCH] ci: explicit permissions on actions revoke
 pull_request_target

---
 .github/workflows/coverage.yml                 | 3 +++
 .github/workflows/functions_client.yml         | 3 +++
 .github/workflows/gotrue.yml                   | 3 +++
 .github/workflows/postgrest.yml                | 3 +++
 .github/workflows/realtime_client.yml          | 3 +++
 .github/workflows/storage_client.yml           | 3 +++
 .github/workflows/supabase.yml                 | 3 +++
 .github/workflows/supabase_flutter.yml         | 3 +++
 .github/workflows/title-validation.yml         | 6 +++++-
 .github/workflows/yet_another_json_isolate.yml | 3 +++
 10 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index 8f32fe19..1268c94b 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   coverage:
     name: Generate Combined Coverage
diff --git a/.github/workflows/functions_client.yml b/.github/workflows/functions_client.yml
index 365f37fb..8a26ce98 100644
--- a/.github/workflows/functions_client.yml
+++ b/.github/workflows/functions_client.yml
@@ -15,6 +15,9 @@ on:
       - '.github/workflows/functions_client.yml'
       - 'packages/yet_another_json_isolate/**'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test SDK ${{ matrix.sdk }}
diff --git a/.github/workflows/gotrue.yml b/.github/workflows/gotrue.yml
index c6e6e86e..0258a2bb 100644
--- a/.github/workflows/gotrue.yml
+++ b/.github/workflows/gotrue.yml
@@ -13,6 +13,9 @@ on:
       - 'packages/gotrue/**'
       - '.github/workflows/gotrue.yml'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test SDK ${{ matrix.sdk }}
diff --git a/.github/workflows/postgrest.yml b/.github/workflows/postgrest.yml
index 57fad3ac..8fd1f155 100644
--- a/.github/workflows/postgrest.yml
+++ b/.github/workflows/postgrest.yml
@@ -15,6 +15,9 @@ on:
       - '.github/workflows/postgrest.yml'
       - 'packages/yet_another_json_isolate/**'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test SDK ${{ matrix.sdk }}
diff --git a/.github/workflows/realtime_client.yml b/.github/workflows/realtime_client.yml
index 12b6ab8b..144374b0 100644
--- a/.github/workflows/realtime_client.yml
+++ b/.github/workflows/realtime_client.yml
@@ -13,6 +13,9 @@ on:
       - 'packages/realtime_client/**'
       - '.github/workflows/realtime_client.yml'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test SDK ${{ matrix.sdk }}
diff --git a/.github/workflows/storage_client.yml b/.github/workflows/storage_client.yml
index 2aec79e4..7b49fa04 100644
--- a/.github/workflows/storage_client.yml
+++ b/.github/workflows/storage_client.yml
@@ -12,6 +12,9 @@ on:
       - 'packages/storage_client/**'
       - '.github/workflows/storage_client.yml'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test SDK ${{ matrix.sdk }}
diff --git a/.github/workflows/supabase.yml b/.github/workflows/supabase.yml
index c6b89046..7616303d 100644
--- a/.github/workflows/supabase.yml
+++ b/.github/workflows/supabase.yml
@@ -23,6 +23,9 @@ on:
       - 'packages/realtime_client/**'
       - 'packages/storage_client/**'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test SDK ${{ matrix.sdk }}
diff --git a/.github/workflows/supabase_flutter.yml b/.github/workflows/supabase_flutter.yml
index 3c66a6b9..ae7182f6 100644
--- a/.github/workflows/supabase_flutter.yml
+++ b/.github/workflows/supabase_flutter.yml
@@ -27,6 +27,9 @@ on:
       - 'packages/supabase/**'
       - 'packages/yet_another_json_isolate/**'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test Flutter v${{ matrix.flutter-version }}
diff --git a/.github/workflows/title-validation.yml b/.github/workflows/title-validation.yml
index 34c956e7..87bedfb3 100644
--- a/.github/workflows/title-validation.yml
+++ b/.github/workflows/title-validation.yml
@@ -2,12 +2,16 @@
 name: 'PR Title is Conventional'
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - edited
       - synchronize
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   main:
     name: Validate PR title
diff --git a/.github/workflows/yet_another_json_isolate.yml b/.github/workflows/yet_another_json_isolate.yml
index f424ded0..db562900 100644
--- a/.github/workflows/yet_another_json_isolate.yml
+++ b/.github/workflows/yet_another_json_isolate.yml
@@ -13,6 +13,9 @@ on:
       - 'packages/yet_another_json_isolate/**'
       - '.github/workflows/yet_another_json_isolate.yml'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test SDK ${{ matrix.sdk }}