From 1bd0d746ba8c9a508ba9d3d2dcbd797c64fedcdc Mon Sep 17 00:00:00 2001
From: Nicolas Brieussel <nicolasbrieussel@MBP-de-Nicolas.lan>
Date: Tue, 14 Apr 2026 01:33:19 +0200
Subject: [PATCH] fix: restrict GITHUB_TOKEN to contents: read in sync workflow

The GITHUB_TOKEN previously inherited org-wide default permissions.
Since the workflow only uses GitHub App credentials for the sync and
GITHUB_TOKEN is only needed for the two actions/checkout steps,
restrict it to contents: read.

Closes #3
---
 .github/workflows/safe-settings-sync.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/safe-settings-sync.yml b/.github/workflows/safe-settings-sync.yml
index f03db15..b14bcbd 100644
--- a/.github/workflows/safe-settings-sync.yml
+++ b/.github/workflows/safe-settings-sync.yml
@@ -21,6 +21,8 @@ jobs:
   sync:
     name: Sync org settings${{ github.event.inputs.nop == 'true' && ' (dry-run)' || '' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       SAFE_SETTINGS_VERSION: 2.1.17
       SAFE_SETTINGS_CODE_DIR: ${{ github.workspace }}/.safe-settings-code