From 899aeb93af1ee37d93923c3dbe802b5a1747cb5d Mon Sep 17 00:00:00 2001
From: Jim Kane <fastjames@gmail.com>
Date: Wed, 15 Apr 2026 13:20:37 -0500
Subject: [PATCH] Add minimal permissions blocks to GitHub Actions workflows

Address CodeQL security findings by explicitly declaring least-privilege
permissions for all workflow jobs. Jobs that only need repository checkout
get contents: read; jobs that also use the GitHub API for PR file lists
get both contents: read and pull-requests: read.
---
 .github/workflows/build.yml                     |  4 ++++
 .github/workflows/pull-request-verification.yml | 12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3cb1656..535be10 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -9,6 +9,8 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - uses: actions/setup-node@v6
@@ -21,6 +23,8 @@ jobs:
 
   self-test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - uses: ./
diff --git a/.github/workflows/pull-request-verification.yml b/.github/workflows/pull-request-verification.yml
index ea1b067..13b8457 100644
--- a/.github/workflows/pull-request-verification.yml
+++ b/.github/workflows/pull-request-verification.yml
@@ -9,6 +9,8 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - uses: actions/setup-node@v6
@@ -22,6 +24,7 @@ jobs:
   test-inline:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       pull-requests: read
     steps:
     - uses: actions/checkout@v6
@@ -43,6 +46,7 @@ jobs:
   test-external:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       pull-requests: read
     steps:
     - uses: actions/checkout@v6
@@ -56,6 +60,8 @@ jobs:
 
   test-without-token:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - uses: ./
@@ -69,6 +75,8 @@ jobs:
 
   test-wd-without-token:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
       with:
@@ -85,6 +93,8 @@ jobs:
 
   test-local-changes:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - run: echo "NEW FILE" > local
@@ -105,6 +115,8 @@ jobs:
 
   test-change-type:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - name: configure GIT user