From a50c00de9afe9aa2bba790c3134c84ca8be88e70 Mon Sep 17 00:00:00 2001
From: zerosnacks <zerosnacks@protonmail.com>
Date: Mon, 15 Sep 2025 10:55:38 +0200
Subject: [PATCH 1/3] scope permissions, cache requires write

---
 .github/workflows/ci.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f59159895..1e3e30c69 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]
@@ -18,6 +21,8 @@ jobs:
     name: test ${{ matrix.rust }} ${{ matrix.flags }} (${{ matrix.os }})
     runs-on: ${{ matrix.os }}
     timeout-minutes: 30
+    permissions:
+      actions: write
     strategy:
       fail-fast: false
       matrix:
@@ -30,6 +35,8 @@ jobs:
             flags: "--all-features"
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: dtolnay/rust-toolchain@master
         with:
           toolchain: ${{ matrix.rust }}
@@ -48,8 +55,12 @@ jobs:
   doctest:
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      actions: write
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
         with:
@@ -59,8 +70,12 @@ jobs:
   feature-checks:
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      actions: write
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: dtolnay/rust-toolchain@stable
       - uses: taiki-e/install-action@cargo-hack
       - uses: Swatinem/rust-cache@v2
@@ -72,8 +87,12 @@ jobs:
   clippy:
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      actions: write
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: dtolnay/rust-toolchain@stable
         with:
           components: clippy
@@ -87,8 +106,12 @@ jobs:
   docs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      actions: write
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: dtolnay/rust-toolchain@nightly
       - uses: Swatinem/rust-cache@v2
         with:
@@ -102,6 +125,8 @@ jobs:
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: dtolnay/rust-toolchain@nightly
         with:
           components: rustfmt
@@ -113,6 +138,7 @@ jobs:
   ci-success:
     runs-on: ubuntu-latest
     if: always()
+    permissions: {}
     needs:
       - test
       - doctest

From c8faee48de5bc29d4bcefc341b8e6686fe3e1077 Mon Sep 17 00:00:00 2001
From: zerosnacks <zerosnacks@protonmail.com>
Date: Mon, 15 Sep 2025 11:32:35 +0200
Subject: [PATCH 2/3] use nightly clippy in line with other foundry crates

---
 .github/workflows/ci.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1e3e30c69..764424dbe 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -93,9 +93,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - uses: dtolnay/rust-toolchain@stable
-        with:
-          components: clippy
+      - uses: dtolnay/rust-toolchain@clippy
       - uses: Swatinem/rust-cache@v2
         with:
           cache-on-failure: true

From 8ea804c88f5499e50570a7063568d66c6a9855c2 Mon Sep 17 00:00:00 2001
From: zerosnacks <zerosnacks@protonmail.com>
Date: Mon, 15 Sep 2025 12:37:08 +0200
Subject: [PATCH 3/3] drop write permissions, not necessary

---
 .github/workflows/ci.yml | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 764424dbe..397a2ffe4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,8 +21,6 @@ jobs:
     name: test ${{ matrix.rust }} ${{ matrix.flags }} (${{ matrix.os }})
     runs-on: ${{ matrix.os }}
     timeout-minutes: 30
-    permissions:
-      actions: write
     strategy:
       fail-fast: false
       matrix:
@@ -55,8 +53,6 @@ jobs:
   doctest:
     runs-on: ubuntu-latest
     timeout-minutes: 30
-    permissions:
-      actions: write
     steps:
       - uses: actions/checkout@v5
         with:
@@ -70,8 +66,6 @@ jobs:
   feature-checks:
     runs-on: ubuntu-latest
     timeout-minutes: 30
-    permissions:
-      actions: write
     steps:
       - uses: actions/checkout@v5
         with:
@@ -87,8 +81,6 @@ jobs:
   clippy:
     runs-on: ubuntu-latest
     timeout-minutes: 30
-    permissions:
-      actions: write
     steps:
       - uses: actions/checkout@v5
         with:
@@ -104,8 +96,6 @@ jobs:
   docs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
-    permissions:
-      actions: write
     steps:
       - uses: actions/checkout@v5
         with: