From bc5f8e6f84b384a9ef9626072ac6d8e6a5f9bfb5 Mon Sep 17 00:00:00 2001
From: Moritz Eysholdt <moritz@ona.com>
Date: Mon, 9 Mar 2026 13:25:28 +0000
Subject: [PATCH] Add permissions block to gradle-build workflow

Restrict GITHUB_TOKEN to contents:read in the Gradle CI workflow,
resolving CodeQL alert actions/missing-workflow-permissions.

Co-authored-by: Ona <no-reply@ona.com>
---
 .github/workflows/gradle-build.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/gradle-build.yml b/.github/workflows/gradle-build.yml
index c24c121b..c0282768 100644
--- a/.github/workflows/gradle-build.yml
+++ b/.github/workflows/gradle-build.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build: