From db76d5e8ea999428d3d29d97e212d0195c50cdcb Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Wed, 13 May 2026 07:02:44 +0000
Subject: [PATCH] Declare workflow-level permissions for CI and TODO-to-Issue

ci.yml: contents: read (gradle build + unit tests + lint).
todo-to-issue.yml: contents: write + issues: write because
alstr/todo-to-issue-action creates issues for TODO comments and pushes the
rewritten files back to the PR head branch.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/ci.yml            | 3 +++
 .github/workflows/todo-to-issue.yml | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 20dea514ed..a58af7a0f2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,6 +19,9 @@ on:
   pull_request:
     branches: [ "master" ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/todo-to-issue.yml b/.github/workflows/todo-to-issue.yml
index ff2b43ef1f..20dface723 100644
--- a/.github/workflows/todo-to-issue.yml
+++ b/.github/workflows/todo-to-issue.yml
@@ -22,6 +22,10 @@ on:
   pull_request:
     branches: [ "master" ]
 
+permissions:
+  contents: write   # the workflow pushes a commit back to the PR head branch
+  issues: write     # alstr/todo-to-issue-action creates issues for TODOs
+
 jobs:
   build:
     runs-on: ubuntu-latest