From d17db74d0f94e54c90bd2630ef4ff36b478bc0cc Mon Sep 17 00:00:00 2001
From: stxkxs <stxkxs@users.noreply.github.com>
Date: Fri, 19 Jun 2026 21:10:29 -0700
Subject: [PATCH] ci: set least-privilege GITHUB_TOKEN permissions on the
 workflow

CodeQL (actions/missing-workflow-permissions) flagged the lint and render
jobs for running with the default, overly-broad GITHUB_TOKEN scope. Add a
top-level `permissions: contents: read` default so every job starts at
read-only. Both flagged jobs only check out and validate the repo, so the
default is all they need; the pr-summary job keeps its explicit
`pull-requests: write` override for posting the CI comment.

Resolves the 2 open code scanning alerts.

Co-authored-by: stxkxsbot <275011021+stxkxsbot@users.noreply.github.com>
---
 .github/workflows/ci.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0f7960f..1c1bb6e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,11 @@ on:
   pull_request:
     branches: [main]
 
+# Least-privilege default for GITHUB_TOKEN; lint + render only read the repo.
+# The pr-summary job opts into pull-requests: write on top of this.
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint YAML