From ba2863cd4748417c864680a1966b25b59cde71a4 Mon Sep 17 00:00:00 2001
From: Derek Rein <alexanderderekrein@gmail.com>
Date: Tue, 10 Mar 2026 13:17:55 +0700
Subject: [PATCH] ci: add explicit permissions to CI workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolves CodeQL alert #2 (actions/missing-workflow-permissions) by
setting contents: read — the minimum permission needed for checkout.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0828891..7034c78 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true