From 6b81d501d8285c594acb2a5f1fa9f4c88839aab6 Mon Sep 17 00:00:00 2001
From: Rick Newton-Rogers <rnro@apple.com>
Date: Thu, 30 Oct 2025 15:48:41 +0000
Subject: [PATCH] Add explicit read permissions to workflows

Motivation:

* More secure GitHub Actions workflows

Modifications:

Add explicit 'contents: read' permissions to workflows that did not have
explicit permissions defined. This follows GitHub Actions security best
practices by limiting the default GITHUB_TOKEN permissions.

Result:

An extra layer of security.
---
 .github/workflows/api-docs.yml | 3 +++
 .github/workflows/test.yml     | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/api-docs.yml b/.github/workflows/api-docs.yml
index dc2e0634..063fb0f5 100644
--- a/.github/workflows/api-docs.yml
+++ b/.github/workflows/api-docs.yml
@@ -1,4 +1,7 @@
 name: deploy-api-docs
+
+permissions:
+  contents: read
 on:
   push:
     branches:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 926f2fbe..6a491e60 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,4 +1,7 @@
 name: CI
+
+permissions:
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true