From fc8b6017e4adedd0d7c3e876b3365c2c25aa9a4f Mon Sep 17 00:00:00 2001
From: stxkxs <stxkxs@users.noreply.github.com>
Date: Fri, 19 Jun 2026 21:27:43 -0700
Subject: [PATCH] ci: scope workflow GITHUB_TOKEN to least privilege

Add a top-level `permissions: contents: read` default to ci.yml so GITHUB_TOKEN is least-privilege, clearing the 2 CodeQL actions/missing-workflow-permissions alerts. The build-and-test and lint jobs only read + upload run artifacts; nothing writes to the repo.

Co-authored-by: stxkxsbot <275011021+stxkxsbot@users.noreply.github.com>
---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ca03d43..88861a0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
       - '**'
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest