From 22d72e8a34f2e49e1f19ac9d4ec5ec507855110c Mon Sep 17 00:00:00 2001
From: Julian Tabel <juliantabel.jt@gmail.com>
Date: Tue, 17 Feb 2026 19:34:07 +0100
Subject: [PATCH] Restrict workflow permissions to contents: read

All CI jobs and the deploy workflow only need to read repo contents.
Adding explicit top-level permissions satisfies zizmor's
excessive-permissions audit.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml     | 3 +++
 .github/workflows/deploy.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 80fac44..0c76b0b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,6 +18,9 @@ on:
       - ".gitignore"
       - ".github/workflows/deploy.yml"
 
+permissions:
+  contents: read
+
 jobs:
   backend-lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 8b08735..f3329e4 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -3,6 +3,9 @@ name: Deploy
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     runs-on: ubuntu-latest