From 13c5dbdcd62ea9c3e49790609f7b62e875e465fc Mon Sep 17 00:00:00 2001
From: Alex Tomkins <tomkins@darkzone.net>
Date: Sat, 7 Feb 2026 19:11:50 +0000
Subject: [PATCH] Limit overall permissions for GitHub Actions

---
 .github/workflows/ci.yml      | 2 ++
 .github/workflows/publish.yml | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d3d9cc4..13dc1db 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,6 +3,8 @@ on: pull_request
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
+permissions:
+  contents: read
 jobs:
   matrix:
     name: Build test matrix
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5de63f3..3b5b902 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - "*"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build packages