From a363e1049e94d7b438df41c64574cdf7a338399a Mon Sep 17 00:00:00 2001
From: Rick Newton-Rogers <rnro@apple.com>
Date: Thu, 30 Oct 2025 15:48:07 +0000
Subject: [PATCH] Add explicit read permissions to workflows

Motivation:

* More secure GitHub Actions workflows

Modifications:

Add explicit 'contents: read' permissions to workflows that did not have
explicit permissions defined. This follows GitHub Actions security best
practices by limiting the default GITHUB_TOKEN permissions.

Result:

An extra layer of security.
---
 .github/workflows/main.yml               | 3 +++
 .github/workflows/pull_request.yml       | 3 +++
 .github/workflows/pull_request_label.yml | 3 +++
 .github/workflows/soundness.yml          | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index ca46fa2c..f7cc67c8 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,5 +1,8 @@
 name: Main
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index bcc82e41..a76ac492 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -1,5 +1,8 @@
 name: PR
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches: [main]
diff --git a/.github/workflows/pull_request_label.yml b/.github/workflows/pull_request_label.yml
index d83c5999..096f66e5 100644
--- a/.github/workflows/pull_request_label.yml
+++ b/.github/workflows/pull_request_label.yml
@@ -1,5 +1,8 @@
 name: PR
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [labeled, unlabeled, opened, reopened, synchronize]
diff --git a/.github/workflows/soundness.yml b/.github/workflows/soundness.yml
index cd3f196a..b74f2de0 100644
--- a/.github/workflows/soundness.yml
+++ b/.github/workflows/soundness.yml
@@ -1,5 +1,8 @@
 name: Soundness
 
+permissions:
+  contents: read
+
 on:
   workflow_call: