From 268337e46c888c723268c4c16446388bb74627c6 Mon Sep 17 00:00:00 2001
From: aler9 <46489434+aler9@users.noreply.github.com>
Date: Sat, 6 Jun 2026 20:29:03 +0200
Subject: [PATCH] restrict GitHub Actions workflow permissions

---
 .github/workflows/dialects.yml | 3 +++
 .github/workflows/lint.yml     | 3 +++
 .github/workflows/test.yml     | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/dialects.yml b/.github/workflows/dialects.yml
index 816fede96..ef22297a5 100644
--- a/.github/workflows/dialects.yml
+++ b/.github/workflows/dialects.yml
@@ -5,6 +5,9 @@ on:
   - cron: '4 5 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 jobs:
   dialects:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 4d8ff1134..3e065946e 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   go:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index ea0475bc4..5693435eb 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-24.04