From 31b495a7b9c1860af5d823e4cfda4aa3ee2fe78e Mon Sep 17 00:00:00 2001
From: Michael Tautschnig <tautschn@amazon.com>
Date: Fri, 3 Oct 2025 09:20:27 +0000
Subject: [PATCH] Complete CI permissions limiting

This is a follow-up to #4348 to address the remaining code scanning
alerts.
---
 .github/workflows/deny.yml | 2 ++
 .github/workflows/kani.yml | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml
index c4272ae07448..7737bed362f4 100644
--- a/.github/workflows/deny.yml
+++ b/.github/workflows/deny.yml
@@ -5,6 +5,8 @@
 # 2. Checks Rust-Sec registry for security advisories.
 
 name: Cargo Deny
+permissions:
+  contents: read
 on:
   pull_request:
   merge_group:
diff --git a/.github/workflows/kani.yml b/.github/workflows/kani.yml
index efd27481493f..9d4c284653ad 100644
--- a/.github/workflows/kani.yml
+++ b/.github/workflows/kani.yml
@@ -16,6 +16,8 @@ env:
 jobs:
   regression:
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         os: [macos-13, ubuntu-22.04, ubuntu-24.04, macos-14, ubuntu-24.04-arm]
@@ -33,6 +35,8 @@ jobs:
 
   benchcomp-tests:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - name: Checkout Kani
         uses: actions/checkout@v5
@@ -56,6 +60,8 @@ jobs:
 
   perf:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - name: Checkout Kani
         uses: actions/checkout@v5
@@ -72,6 +78,8 @@ jobs:
 
   llbc-regression:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - name: Checkout Kani
         uses: actions/checkout@v5