From efda458c572f84efc562897e5956532f15a474cc Mon Sep 17 00:00:00 2001
From: rwesolowski <rw@coinpaprika.com>
Date: Mon, 27 Apr 2026 10:28:26 +0200
Subject: [PATCH] Restrict GITHUB_TOKEN scope to least privilege in workflows

Add explicit `permissions: contents: read` to publish.yml and tests.yml
so the default GITHUB_TOKEN no longer inherits broader repo/org defaults.

Resolves CodeQL alerts actions/missing-workflow-permissions (#1, #2).
---
 .github/workflows/publish.yml | 3 +++
 .github/workflows/tests.yml   | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5167461..4ada5e8 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index a439874..6ddd4c2 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest