From 74a8fc060465a822f0c047f908d5fb07ebc6ad96 Mon Sep 17 00:00:00 2001
From: Disservin <disservin.social@gmail.com>
Date: Wed, 3 Jul 2024 14:07:48 +0200
Subject: [PATCH] Use explicit action permissions in CI

Necessary modifications according to changes in the GitHub Action settings.

closes https://github.com/official-stockfish/Stockfish/pull/5437

Follow up from the report by Yaron Avital (yaronav) earlier.

No functional change
---
 .github/workflows/stockfish.yml       | 10 ++++++++++
 .github/workflows/upload_binaries.yml |  5 +++++
 2 files changed, 15 insertions(+)

diff --git a/.github/workflows/stockfish.yml b/.github/workflows/stockfish.yml
index 5589c762..1f87e061 100644
--- a/.github/workflows/stockfish.yml
+++ b/.github/workflows/stockfish.yml
@@ -15,6 +15,8 @@ jobs:
   Prerelease:
     if: github.repository == 'official-stockfish/Stockfish' && (github.ref == 'refs/heads/master' || (startsWith(github.ref_name, 'sf_') && github.ref_type == 'tag'))
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # For deleting/creating a prerelease
     steps:
       - uses: actions/checkout@v4
         with:
@@ -104,9 +106,17 @@ jobs:
     uses: ./.github/workflows/upload_binaries.yml
     with:
       matrix: ${{ needs.Matrix.outputs.matrix }}
+    permissions:
+      contents: write # For deleting/creating a (pre)release
+    secrets:
+      token: ${{ secrets.GITHUB_TOKEN }}
   ARM_Binaries:
     if: github.repository == 'official-stockfish/Stockfish'
     needs: [Matrix, Prerelease, ARMCompilation]
     uses: ./.github/workflows/upload_binaries.yml
     with:
       matrix: ${{ needs.Matrix.outputs.arm_matrix }}
+    permissions:
+      contents: write # For deleting/creating a (pre)release
+    secrets:
+      token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/upload_binaries.yml b/.github/workflows/upload_binaries.yml
index c91824a2..c5a2cd10 100644
--- a/.github/workflows/upload_binaries.yml
+++ b/.github/workflows/upload_binaries.yml
@@ -5,6 +5,9 @@ on:
       matrix:
         type: string
         required: true
+    secrets:
+      token:
+        required: true
 
 jobs:
   Artifacts:
@@ -80,6 +83,7 @@ jobs:
         uses: softprops/action-gh-release@4634c16e79c963813287e889244c50009e7f0981
         with:
           files: stockfish-${{ matrix.config.simple_name }}-${{ matrix.binaries }}.${{ matrix.config.archive_ext }}
+          token: ${{ secrets.token }}
 
       - name: Get last commit sha
         id: last_commit
@@ -106,3 +110,4 @@ jobs:
           tag_name: stockfish-dev-${{ env.COMMIT_DATE }}-${{ env.COMMIT_SHA }}
           prerelease: true
           files: stockfish-${{ matrix.config.simple_name }}-${{ matrix.binaries }}.${{ matrix.config.archive_ext }}
+          token: ${{ secrets.token }}