From 5ef8fa015a88d417897da75cdeb18c7ba29767ed Mon Sep 17 00:00:00 2001
From: Maarten Zuidhoorn <maarten@zuidhoorn.com>
Date: Wed, 15 Apr 2026 11:14:14 +0200
Subject: [PATCH] Add explicit permissions to workflows

---
 .github/workflows/build-lint-test.yml | 3 +++
 .github/workflows/main.yml            | 5 +++++
 .github/workflows/publish-release.yml | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/build-lint-test.yml b/.github/workflows/build-lint-test.yml
index 57481ae..1fe822f 100644
--- a/.github/workflows/build-lint-test.yml
+++ b/.github/workflows/build-lint-test.yml
@@ -3,6 +3,9 @@ name: Build, Lint, and Test
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   prepare:
     name: Prepare
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index cf0d297..70c90da 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -5,6 +5,9 @@ on:
     branches: [main]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   check-workflows:
     name: Check workflows
@@ -71,6 +74,7 @@ jobs:
       - check-workflows
       - analyse-code
       - build-lint-test
+    permissions: {}
     outputs:
       PASSED: ${{ steps.set-output.outputs.PASSED }}
     steps:
@@ -83,6 +87,7 @@ jobs:
     if: ${{ always() }}
     runs-on: ubuntu-latest
     needs: all-jobs-completed
+    permissions: {}
     steps:
       - name: Check that all jobs have passed
         run: |
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 543ffe5..daedf40 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -9,6 +9,10 @@ on:
         required: true
       PUBLISH_DOCS_TOKEN:
         required: true
+
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build