From 567199a37d97af526c17cfda52bf91f8a131ba5e Mon Sep 17 00:00:00 2001
From: Aarni Koskela <akx@iki.fi>
Date: Tue, 9 Sep 2025 18:52:51 +0300
Subject: [PATCH] CI: make job permissions explicit (#1227)

---
 .github/workflows/ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a5ed97f2..7392ea40 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,6 +14,8 @@ on:
 
 jobs:
   lint:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -21,6 +23,8 @@ jobs:
         env:
           RUFF_OUTPUT_FORMAT: github
   test:
+    permissions:
+      contents: read
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
@@ -68,6 +72,8 @@ jobs:
         token: ${{ secrets.CODECOV_TOKEN }}
         verbose: true
   build:
+    permissions:
+      contents: read
     runs-on: ubuntu-24.04
     needs: lint
     steps:
-- 
2.47.3