From 965f0bf4183323a11fe51ef65226ff154d3dde96 Mon Sep 17 00:00:00 2001
From: Matt Raible <matt.raible@crowdstrike.com>
Date: Wed, 17 Sep 2025 21:28:02 -0700
Subject: [PATCH] Add explicit permissions to GitHub Actions workflows

Resolves CodeQL security alerts by restricting GITHUB_TOKEN to contents:read only
---
 .github/workflows/main.yml   | 3 +++
 .github/workflows/pylint.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index ff0156b..5635c92 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,6 +1,9 @@
 name: Sample CI
 on: [ push, pull_request ]
 
+permissions:
+  contents: read
+
 jobs:
   test-functions:
     strategy:
diff --git a/.github/workflows/pylint.yml b/.github/workflows/pylint.yml
index 41eac16..3f5e35f 100644
--- a/.github/workflows/pylint.yml
+++ b/.github/workflows/pylint.yml
@@ -8,6 +8,9 @@ on:
     paths:
       - '**.py'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     runs-on: ubuntu-latest