From bf75e3362d9d1488d54f99f9af7176129198e6fb Mon Sep 17 00:00:00 2001
From: JSv4 <scrudato@umich.edu>
Date: Fri, 20 Mar 2026 19:21:47 -0500
Subject: [PATCH] Add explicit permissions to GitHub Actions workflows

Restricts GITHUB_TOKEN scope to least privilege (contents: read) on all
jobs that were missing permissions blocks, resolving 7 CodeQL security
alerts (actions/missing-workflow-permissions).
---
 .github/workflows/ci.yml         | 3 +++
 .github/workflows/playwright.yml | 3 +++
 .github/workflows/publish.yml    | 6 ++++++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 62df8e1..d2ebe52 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml
index a423106..bb0171d 100644
--- a/.github/workflows/playwright.yml
+++ b/.github/workflows/playwright.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index d467f09..da50945 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -108,6 +108,8 @@ jobs:
   build-binaries:
     needs: build-test-publish
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         include:
@@ -156,6 +158,8 @@ jobs:
   build-docx2html-binaries:
     needs: build-test-publish
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         include:
@@ -204,6 +208,8 @@ jobs:
   build-docx2oc-binaries:
     needs: build-test-publish
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         include: