From f19d25133dbfa78638c9a6b0dcb756899ee12eb4 Mon Sep 17 00:00:00 2001
From: "James M. Greene" <JamesMGreene@github.com>
Date: Fri, 5 Aug 2022 15:54:15 -0500
Subject: [PATCH 1/2] Ensure minimal permissions are explicit on all workflows

---
 .github/workflows/draft-release.yml | 3 +++
 .github/workflows/test.yml          | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml
index 4575aaf..34af841 100644
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@@ -4,6 +4,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: write
+
 jobs:
   draft-release:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 74fbf15..15e4f28 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest

From 4f84ed2a1463bc4c44d94feb668da6d54a4efcdf Mon Sep 17 00:00:00 2001
From: "James M. Greene" <JamesMGreene@github.com>
Date: Fri, 5 Aug 2022 15:54:53 -0500
Subject: [PATCH 2/2] Add concurrency settings to PR-based workflows

---
 .github/workflows/check-dist.yml | 5 +++++
 .github/workflows/test.yml       | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml
index 092b408..fcc72f8 100644
--- a/.github/workflows/check-dist.yml
+++ b/.github/workflows/check-dist.yml
@@ -18,6 +18,11 @@ on:
 permissions:
   contents: read
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   check-dist:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 15e4f28..76147fe 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -9,6 +9,11 @@ on:
 permissions:
   contents: read
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest