From f1d039a486a644d1e90322efac2069b748faa465 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Sat, 17 May 2025 10:14:06 -0700
Subject: [PATCH] ci: harden GH Actions

---
 .github/workflows/ci.yml              | 3 +++
 .github/workflows/generate-readme.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1d15384..0d8bd8b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,6 +17,9 @@ concurrency:
   group: "${{ github.workflow }} ✨ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
diff --git a/.github/workflows/generate-readme.yml b/.github/workflows/generate-readme.yml
index 4a09bfb..b2c8414 100644
--- a/.github/workflows/generate-readme.yml
+++ b/.github/workflows/generate-readme.yml
@@ -9,6 +9,9 @@ on:
       - index.ts
       - config.ts
 
+permissions:
+  contents: read
+
 jobs:
   generate-readme:
     runs-on: ubuntu-latest