From 9a24850bc9247873d6c33deed8e1d26d51f4df23 Mon Sep 17 00:00:00 2001
From: stxkxs <stxkxs@users.noreply.github.com>
Date: Fri, 19 Jun 2026 21:27:39 -0700
Subject: [PATCH] ci: scope workflow GITHUB_TOKEN to least privilege

Add a top-level `permissions: contents: read` default to ci.yml and diff.yml so GITHUB_TOKEN is least-privilege, clearing the 3 CodeQL actions/missing-workflow-permissions alerts. Read-only covers the lint/validate/diff jobs; the pr-summary job keeps its job-level `pull-requests: write` override, so PR comments still work.

Co-authored-by: stxkxsbot <275011021+stxkxsbot@users.noreply.github.com>
---
 .github/workflows/ci.yml   | 3 +++
 .github/workflows/diff.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9c39fdc..21d7851 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint YAML
diff --git a/.github/workflows/diff.yml b/.github/workflows/diff.yml
index 47e2169..cca661a 100644
--- a/.github/workflows/diff.yml
+++ b/.github/workflows/diff.yml
@@ -12,6 +12,9 @@ on:
           - staging
           - production
 
+permissions:
+  contents: read
+
 jobs:
   diff:
     runs-on: ubuntu-latest