From f578741f72a0162aac137344889dd8b9a410c996 Mon Sep 17 00:00:00 2001
From: Melissa Kilby <mkilby@apple.com>
Date: Fri, 10 Oct 2025 17:22:35 -0700
Subject: [PATCH] chore: restrict GitHub workflow permissions - future-proof

Signed-off-by: Melissa Kilby <mkilby@apple.com>
---
 .github/workflows/ci.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index f12a6a5e6..4db630c1e 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,7 +1,12 @@
 name: test
+
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
+
 on:
   pull_request: { types: [opened, reopened, synchronize, ready_for_review] }
   push: { branches: [ main ] }