Add explicit permissions to workflows following principle of least privilege

Copilot · diberry · Copilot · commit dfbdd1a1c33b · 2025-12-05T18:03:20.000Z
Co-authored-by: diberry &lt;41597107+diberry@users.noreply.github.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,10 +7,15 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build and Test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     
     steps:
       - name: Checkout repository
diff --git a/.github/workflows/validate-workflows.yml b/.github/workflows/validate-workflows.yml
@@ -12,10 +12,15 @@ on:
     # Run weekly on Monday at 9:00 AM UTC to check for outdated actions
     - cron: '0 9 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   validate-workflows:
     name: Validate Workflow Files
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     
     steps:
       - name: Checkout repository
@@ -44,6 +49,8 @@ jobs:
   detect-outdated-actions:
     name: Detect Outdated Actions
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     
     steps:
       - name: Checkout repository
@@ -196,6 +203,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: [validate-workflows, detect-outdated-actions]
     if: always()
+    permissions:
+      contents: read
     
     steps:
       - name: Create summary
