From 385384e4cbbea5a78565acfa309c474b79d79fd5 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Tue, 26 May 2026 08:10:12 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on ci and build-swc

Workflow runs checks only; no GitHub API writes. Post-CVE-2025-30066 hardening pattern.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/build-swc.yml | 3 +++
 .github/workflows/ci.yml        | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/build-swc.yml b/.github/workflows/build-swc.yml
index 64570d3b5..b8b5c0492 100644
--- a/.github/workflows/build-swc.yml
+++ b/.github/workflows/build-swc.yml
@@ -6,6 +6,9 @@ on:
       - 'tools/*'
       - 'deps/*'
 
+permissions:
+  contents: read
+
 jobs:
   build-swc:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index eee156691..14c4748b6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,6 +3,9 @@ name: CI
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   commit-lint:
     name: Commit Lint