From 1958dd4760f55800761b953a7c6c3c4407b4e03d Mon Sep 17 00:00:00 2001
From: Melissa Kilby <mkilby@apple.com>
Date: Fri, 10 Oct 2025 16:14:08 -0700
Subject: [PATCH] chore: restrict GitHub workflow permissions - future-proof

Signed-off-by: Melissa Kilby <mkilby@apple.com>
---
 .github/workflows/build-esp.yml            | 3 +++
 .github/workflows/build-nuttx.yml          | 3 +++
 .github/workflows/build-rpi-baremetal.yml  | 3 +++
 .github/workflows/build-rpi-pico-sdk.yml   | 3 +++
 .github/workflows/build-stm32-elf.yml      | 3 +++
 .github/workflows/build-stm32-macho.yml    | 3 +++
 .github/workflows/build-zephyr.yml         | 3 +++
 .github/workflows/lint.yml                 | 3 +++
 .github/workflows/update-swift-version.yml | 3 +++
 9 files changed, 27 insertions(+)

diff --git a/.github/workflows/build-esp.yml b/.github/workflows/build-esp.yml
index 34325add..deb7af1e 100644
--- a/.github/workflows/build-esp.yml
+++ b/.github/workflows/build-esp.yml
@@ -1,5 +1,8 @@
 name: ESP
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["main"]
diff --git a/.github/workflows/build-nuttx.yml b/.github/workflows/build-nuttx.yml
index 554cd5f7..14a9abb8 100644
--- a/.github/workflows/build-nuttx.yml
+++ b/.github/workflows/build-nuttx.yml
@@ -1,5 +1,8 @@
 name: NuttX
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["main"]
diff --git a/.github/workflows/build-rpi-baremetal.yml b/.github/workflows/build-rpi-baremetal.yml
index eadc725d..48c8d04e 100644
--- a/.github/workflows/build-rpi-baremetal.yml
+++ b/.github/workflows/build-rpi-baremetal.yml
@@ -1,5 +1,8 @@
 name: Raspberry Pi Baremetal
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["main"]
diff --git a/.github/workflows/build-rpi-pico-sdk.yml b/.github/workflows/build-rpi-pico-sdk.yml
index 258c65c3..6e03868a 100644
--- a/.github/workflows/build-rpi-pico-sdk.yml
+++ b/.github/workflows/build-rpi-pico-sdk.yml
@@ -1,5 +1,8 @@
 name: Raspberry Pi Pico SDK
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["main"]
diff --git a/.github/workflows/build-stm32-elf.yml b/.github/workflows/build-stm32-elf.yml
index 1b616e2b..352e8915 100644
--- a/.github/workflows/build-stm32-elf.yml
+++ b/.github/workflows/build-stm32-elf.yml
@@ -1,5 +1,8 @@
 name: STM32 ELF
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["main"]
diff --git a/.github/workflows/build-stm32-macho.yml b/.github/workflows/build-stm32-macho.yml
index 88bd9256..4c96c271 100644
--- a/.github/workflows/build-stm32-macho.yml
+++ b/.github/workflows/build-stm32-macho.yml
@@ -1,5 +1,8 @@
 name: STM32 Macho
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["main"]
diff --git a/.github/workflows/build-zephyr.yml b/.github/workflows/build-zephyr.yml
index 96c83b1c..fa03f43f 100644
--- a/.github/workflows/build-zephyr.yml
+++ b/.github/workflows/build-zephyr.yml
@@ -1,5 +1,8 @@
 name: Zephyr
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["main"]
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 11ad1aec..ad6468e2 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,5 +1,8 @@
 name: Lint
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["main"]
diff --git a/.github/workflows/update-swift-version.yml b/.github/workflows/update-swift-version.yml
index 72a0fbdf..bdfcec45 100644
--- a/.github/workflows/update-swift-version.yml
+++ b/.github/workflows/update-swift-version.yml
@@ -1,5 +1,8 @@
 name: Update Swift Version
 
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: '0 0 */7 * *'  # Every 7 days at midnight UTC