From 771c34f3efc098192a42fa394938dcbc05625ea5 Mon Sep 17 00:00:00 2001
From: ilhan007 <ilhan.myumyun@sap.com>
Date: Fri, 15 May 2026 07:20:55 +0300
Subject: [PATCH] chore(ci): add explicit GITHUB_TOKEN permissions to workflows

Add top-level `permissions:` blocks to all workflows to follow the
principle of least privilege and prepare for the upcoming default
read-only GITHUB_TOKEN enforcement.
---
 .github/workflows/ci.yml     | 4 ++++
 .github/workflows/deploy.yml | 4 ++++
 .github/workflows/lint.yml   | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a2f7a25..1e43190 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,10 @@ on:
   pull_request:
     branches:
       - main
+
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index f7a142a..69269f6 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -3,6 +3,10 @@ name: Deploy
 on:
   push:
     branches: [main]
+
+permissions:
+  contents: write
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index efbac43..9047e83 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -6,6 +6,10 @@ on:
   pull_request:
     branches:
       - main
+
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest