From bea0666e6f30bb5bf86ddcba5b2da5b9349a433d Mon Sep 17 00:00:00 2001
From: Cindy Hill <110551331+cinderellasecure@users.noreply.github.com>
Date: Fri, 17 Oct 2025 15:15:27 -0600
Subject: [PATCH] Potential fix for code scanning alert no. 4: Workflow does
 not contain permissions

As part of the organization's transition to default read-only permissions for the GITHUB_TOKEN, this pull request addresses a missing permission in the workflow that triggered a code scanning alert.

This PR explicitly adds the required read permissions to align with the default read only permission and is part of a larger effort for this OKR github/security-services#455
.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/cost-center-sync-cached.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/cost-center-sync-cached.yml b/.github/workflows/cost-center-sync-cached.yml
index 22a273c..184fdc7 100644
--- a/.github/workflows/cost-center-sync-cached.yml
+++ b/.github/workflows/cost-center-sync-cached.yml
@@ -20,6 +20,9 @@ on:
         default: false
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   sync-cost-centers:
     runs-on: ubuntu-latest