From 2850511c61165017e0fde980b3f193c0e6f03ceb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20M=C3=BCller?= <felix@fmueller.io>
Date: Wed, 25 Feb 2026 14:47:05 +0100
Subject: [PATCH] fix: add explicit permissions to GitHub workflows

Add minimal permissions declarations to build.yml (contents: read) and
caches.yml (actions: write) to avoid running with overly broad default
token permissions. Resolves CodeQL actions/missing-workflow-permissions
alerts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/build.yml  | 3 +++
 .github/workflows/caches.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 84bd099..6a22a0a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,6 +6,9 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   lint-and-typecheck:
     name: Linting and Type Checking
diff --git a/.github/workflows/caches.yml b/.github/workflows/caches.yml
index a65977d..073709b 100644
--- a/.github/workflows/caches.yml
+++ b/.github/workflows/caches.yml
@@ -4,6 +4,9 @@ on:
     types:
       - closed
 
+permissions:
+  actions: write
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest