From 5c10ba1f03c1f17d8f9aacb5863e3e934fc1c9c4 Mon Sep 17 00:00:00 2001
From: Dong Ma <dong.ma@vexxhost.com>
Date: Mon, 9 Mar 2026 23:25:28 +0800
Subject: [PATCH] ci: enforce least-privilege permissions for GitHub Actions
 workflows

Signed-off-by: Dong Ma <dong.ma@vexxhost.com>
---
 .github/workflows/cargo.yml      | 3 +++
 .github/workflows/image.yml      | 2 ++
 .github/workflows/nix-image.yaml | 2 ++
 3 files changed, 7 insertions(+)

diff --git a/.github/workflows/cargo.yml b/.github/workflows/cargo.yml
index 6473173..03fdeec 100644
--- a/.github/workflows/cargo.yml
+++ b/.github/workflows/cargo.yml
@@ -7,6 +7,9 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml
index 7e24f03..33b6e62 100644
--- a/.github/workflows/image.yml
+++ b/.github/workflows/image.yml
@@ -25,6 +25,8 @@ on:
         required: false
         default: false
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/nix-image.yaml b/.github/workflows/nix-image.yaml
index 11049ec..e5774bb 100644
--- a/.github/workflows/nix-image.yaml
+++ b/.github/workflows/nix-image.yaml
@@ -22,6 +22,8 @@ on:
         description: Image reference
         value: ${{ jobs.build.outputs.image-ref }}
 
+permissions: {}
+
 jobs:
   amd64:
     runs-on: ubuntu-24.04