From f20940550f95ed63d7f72acc3b880604f6cf169d Mon Sep 17 00:00:00 2001
From: Rick Newton-Rogers <rnro@apple.com>
Date: Thu, 30 Oct 2025 15:49:06 +0000
Subject: [PATCH] Add explicit read permissions to workflows

Motivation:

* More secure GitHub Actions workflows

Modifications:

Add explicit 'contents: read' permissions to workflows that did not have
explicit permissions defined. This follows GitHub Actions security best
practices by limiting the default GITHUB_TOKEN permissions.

Result:

An extra layer of security.
---
 .github/workflows/main.yml               | 3 +++
 .github/workflows/pull_request.yml       | 3 +++
 .github/workflows/pull_request_label.yml | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index f9fb4c1..99576e7 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,5 +1,8 @@
 name: Main
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index cc5ddaf..9925601 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -1,5 +1,8 @@
 name: PR
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [opened, reopened, synchronize]
diff --git a/.github/workflows/pull_request_label.yml b/.github/workflows/pull_request_label.yml
index 8fd47c1..d2da2f1 100644
--- a/.github/workflows/pull_request_label.yml
+++ b/.github/workflows/pull_request_label.yml
@@ -1,5 +1,8 @@
 name: PR label
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [labeled, unlabeled, opened, reopened, synchronize]