From 7484878459802bc5f0dabd876c52f25d202d1dac Mon Sep 17 00:00:00 2001
From: initstring <26131150+initstring@users.noreply.github.com>
Date: Sun, 21 Sep 2025 20:01:51 +1000
Subject: [PATCH] Restrict default GitHub token permissions

---
 .github/workflows/ci.yml        | 3 +++
 .github/workflows/docker-pr.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f73a7fe..3c409b6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,6 +5,9 @@ on:
     branches: [ main ]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml
index a0e3b8b..3446465 100644
--- a/.github/workflows/docker-pr.yml
+++ b/.github/workflows/docker-pr.yml
@@ -3,6 +3,9 @@ name: Validate Docker Build
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   validate-docker-build:
     name: Build Docker Image (no push)