From ff8f970a9c73b5d5d69993d4c8eed63dc0067179 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Tue, 2 Jun 2026 10:01:38 +0900
Subject: [PATCH] ci: set explicit read permissions on main-ci workflow

Set an explicit least-privilege permissions block so the workflow GITHUB_TOKEN is scoped to contents: read instead of inheriting the repository default.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/main-ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/main-ci.yml b/.github/workflows/main-ci.yml
index fcd186b9f..24ce4cf99 100644
--- a/.github/workflows/main-ci.yml
+++ b/.github/workflows/main-ci.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
  job:
   runs-on: ubuntu-latest