From 7fdbb2aa20eb3307f2f47990e07c5404f7e2ae5c Mon Sep 17 00:00:00 2001
From: Jon Langevin <codingsloth@pm.me>
Date: Fri, 29 May 2026 07:13:31 -0400
Subject: [PATCH] security: add least-privilege permissions to Examples CI
 workflow

Adds top-level 'permissions: contents: read' to examples-ci.yml. Both jobs
(validate-examples, examples-overview) only check out and build/test the
example modules, so read access is sufficient. Resolves the two
actions/missing-workflow-permissions CodeQL alerts (medium).
---
 .github/workflows/examples-ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/examples-ci.yml b/.github/workflows/examples-ci.yml
index 5e908ba3..c998fe2f 100644
--- a/.github/workflows/examples-ci.yml
+++ b/.github/workflows/examples-ci.yml
@@ -11,6 +11,12 @@ on:
   # Allow manual trigger
   workflow_dispatch:
 
+# Least-privilege default: both jobs only check out and build/test the example
+# modules, so read access to repository contents is sufficient (CodeQL
+# actions/missing-workflow-permissions).
+permissions:
+  contents: read
+
 env:
   GO_VERSION: '^1.26'