From 9959328c390576b49f9c7136db1b53b7b7d3c968 Mon Sep 17 00:00:00 2001
From: Jingyu Ma <jingm@microsoft.com>
Date: Sun, 15 Mar 2026 15:08:11 -0700
Subject: [PATCH] Add permissions to workflow files to resolve security
 warnings

Add explicit 'permissions: contents: read' to ci.yml, doc.yml,
coverage.yml, and ci-coverage.yml to follow the principle of least
privilege and resolve code scanning alerts.
---
 .github/workflows/ci-coverage.yml | 3 +++
 .github/workflows/ci.yml          | 3 +++
 .github/workflows/coverage.yml    | 3 +++
 .github/workflows/doc.yml         | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/.github/workflows/ci-coverage.yml b/.github/workflows/ci-coverage.yml
index 0562ccd..bf59d81 100644
--- a/.github/workflows/ci-coverage.yml
+++ b/.github/workflows/ci-coverage.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   diff-coverage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6f3dda6..e921e39 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index ca92094..5d41de5 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   coverage-matrix:
     name: Coverage on ${{ matrix.os }} / ${{ matrix.target }}
diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml
index 3f9bb4e..1c7d9c4 100644
--- a/.github/workflows/doc.yml
+++ b/.github/workflows/doc.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build-docs:
     runs-on: ubuntu-latest