From b793cdd3f527881c9a6614bb78daaafb45c1fca4 Mon Sep 17 00:00:00 2001
From: Aarni Koskela <akx@iki.fi>
Date: Tue, 9 Sep 2025 15:46:53 +0000
Subject: [PATCH] CI: make step permissions explicit

---
 .github/workflows/ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a5ed97f22..7392ea403 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,6 +14,8 @@ on:
 
 jobs:
   lint:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -21,6 +23,8 @@ jobs:
         env:
           RUFF_OUTPUT_FORMAT: github
   test:
+    permissions:
+      contents: read
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
@@ -68,6 +72,8 @@ jobs:
         token: ${{ secrets.CODECOV_TOKEN }}
         verbose: true
   build:
+    permissions:
+      contents: read
     runs-on: ubuntu-24.04
     needs: lint
     steps: