kc3-lang/libxkbcommon

diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml
index 0a89026..2c0f72a 100644
--- a/.github/workflows/github-release.yml
+++ b/.github/workflows/github-release.yml
@@ -5,12 +5,21 @@ on:
     tags:
       - 'xkbcommon-*'
 
+# Set permissions at the job level.
+permissions: {}
+
 jobs:
   build:
     name: Automatically create GitHub release for tag
     runs-on: ubuntu-20.04
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
       - uses: actions/create-release@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index c864097..cbae406 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -6,22 +6,28 @@ on:
   pull_request:
     branches: [ master ]
 
+# Set permissions at the job level.
+permissions: {}
+
 jobs:
   linux:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
+    permissions:
+      contents: read
     strategy:
       matrix:
         compiler: [clang, gcc]
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/setup-python@v1
         with:
-          python-version: '3.7'
+          persist-credentials: false
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip meson
-          sudo apt update -y
-          sudo env DEBIAN_FRONTEND=noninteractive apt install -y \
+          python -m pip install --upgrade meson
+          sudo apt install -y \
             doxygen libxcb-xkb-dev valgrind ninja-build \
             libwayland-dev wayland-protocols bison graphviz
       - name: Setup
@@ -38,14 +44,18 @@ jobs:
 
   macos:
     runs-on: macos-10.15
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/setup-python@v1
         with:
-          python-version: '3.7'
+          persist-credentials: false
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip meson
+          python -m pip install --upgrade meson
           brew install libxml2 doxygen bison ninja
           brew link bison --force
         env:
@@ -63,15 +73,19 @@ jobs:
 
   windows:
     runs-on: windows-2019
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/setup-python@v1
         with:
-          python-version: '3.7'
+          persist-credentials: false
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
       - name: Install dependencies
         shell: powershell
         run: |
-          python -m pip install --upgrade pip meson
+          python -m pip install --upgrade meson
           Invoke-WebRequest -Uri https://github.com/ninja-build/ninja/releases/download/v1.10.1/ninja-win.zip -OutFile ninja.zip
           Invoke-WebRequest -Uri https://github.com/lexxmark/winflexbison/releases/download/v2.5.23/win_flex_bison-2.5.23.zip -OutFile win_flex_bison.zip
           Expand-Archive -Path win_flex_bison.zip -DestinationPath bin