From 39ed08a965f8a1d4dcbeac966871fc6e512815f3 Mon Sep 17 00:00:00 2001
From: jwngr <wenger.jacob@gmail.com>
Date: Sat, 11 Oct 2025 18:54:36 -0700
Subject: [PATCH] Added explicit permissions to all GitHub action workflows

---
 .github/workflows/firebase-hosting-merge.yml        | 5 +++++
 .github/workflows/firebase-hosting-pull-request.yml | 3 +++
 .github/workflows/frontend-ci.yml                   | 5 +++++
 3 files changed, 13 insertions(+)

diff --git a/.github/workflows/firebase-hosting-merge.yml b/.github/workflows/firebase-hosting-merge.yml
index 1dc9a8b..41f78bc 100644
--- a/.github/workflows/firebase-hosting-merge.yml
+++ b/.github/workflows/firebase-hosting-merge.yml
@@ -1,8 +1,13 @@
 name: Deploy prod frontend on merge
+
 on:
   push:
     branches:
       - main
+
+permissions:
+  contents: read
+
 jobs:
   build_and_deploy:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/firebase-hosting-pull-request.yml b/.github/workflows/firebase-hosting-pull-request.yml
index 6f172aa..5e43043 100644
--- a/.github/workflows/firebase-hosting-pull-request.yml
+++ b/.github/workflows/firebase-hosting-pull-request.yml
@@ -1,9 +1,12 @@
 name: Deploy frontend preview on PR
+
 on: pull_request
+
 permissions:
   checks: write
   contents: read
   pull-requests: write
+
 jobs:
   build_and_preview:
     if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
diff --git a/.github/workflows/frontend-ci.yml b/.github/workflows/frontend-ci.yml
index 3eece11..acf8a5d 100644
--- a/.github/workflows/frontend-ci.yml
+++ b/.github/workflows/frontend-ci.yml
@@ -1,5 +1,10 @@
 name: Run Frontend CI on push
+
 on: [push]
+
+permissions:
+  contents: read
+
 jobs:
   frontend-ci:
     runs-on: ubuntu-latest