From e6307b9f032ee4d1e328455d05a39db7177d0cc4 Mon Sep 17 00:00:00 2001
From: Tim Graham <timograham@gmail.com>
Date: Thu, 31 Jul 2025 10:42:15 -0400
Subject: [PATCH] Fix CodeQL warnings about lack of workflow permissions

---
 .github/workflows/linters.yml           | 4 ++++
 .github/workflows/test-python-atlas.yml | 2 ++
 .github/workflows/test-python.yml       | 2 ++
 3 files changed, 8 insertions(+)

diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
index dcf46d45f..4f877334c 100644
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -26,6 +26,8 @@ jobs:
       - name: Run linters
         run: |
           pre-commit run --hook-stage=manual --all-files
+    permissions:
+        contents: read
   docs:
     name: Docs Checks
     runs-on: ubuntu-latest
@@ -46,3 +48,5 @@ jobs:
         run: |
           cd docs
           make html
+    permissions:
+        contents: read
diff --git a/.github/workflows/test-python-atlas.yml b/.github/workflows/test-python-atlas.yml
index f84a99345..bdb035aad 100644
--- a/.github/workflows/test-python-atlas.yml
+++ b/.github/workflows/test-python-atlas.yml
@@ -54,3 +54,5 @@ jobs:
         run: bash .github/workflows/start_local_atlas.sh mongodb/mongodb-atlas-local:7
       - name: Run tests
         run: python3 django_repo/tests/runtests.py --settings mongodb_settings -v 2
+    permissions:
+        contents: read
diff --git a/.github/workflows/test-python.yml b/.github/workflows/test-python.yml
index d3fccebdc..ce7d300d0 100644
--- a/.github/workflows/test-python.yml
+++ b/.github/workflows/test-python.yml
@@ -55,3 +55,5 @@ jobs:
           mongodb-version: 6.0
       - name: Run tests
         run: python3 django_repo/tests/runtests_.py
+    permissions:
+        contents: read