From 569f5e0a26366668d0b9562d344f3217d119d0b6 Mon Sep 17 00:00:00 2001
From: Yacov Manevich <yacov.manevich@avalabs.org>
Date: Mon, 20 Apr 2026 00:27:26 +0200
Subject: [PATCH] Restrict GITHUB_TOKEN to read-only in CI workflow

Set workflow-level permissions to contents: read and pull-requests: read
to follow least-privilege for the CI job.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Yacov Manevich <yacov.manevich@avalabs.org>
---
 .github/workflows/ci.yaml   | 4 ++++
 .github/workflows/lint.yaml | 1 +
 2 files changed, 5 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 69feddaf..265c60cc 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -7,6 +7,10 @@ on:
   pull_request:
     branches: ['**']
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
 
   build:
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index b4fc5229..78de5893 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -6,6 +6,7 @@ on:
 
 permissions:
   contents: read
+  pull-requests: read
 
 jobs:
   format: