From f46d0967c685e57382e8d9183bb75487d3e6a506 Mon Sep 17 00:00:00 2001
From: Shay Rojansky <roji@roji.org>
Date: Thu, 25 Dec 2025 09:57:59 +0100
Subject: [PATCH] Add empty permissions block in Github Actions configs

To restrict all permissions by default (CodeQL warning)
---
 .github/workflows/build.yml             | 3 +++
 .github/workflows/trigger-doc-build.yml | 3 +++
 EFCore.PG.slnx                          | 2 +-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b530f807d..bd14700af 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -10,6 +10,9 @@ on:
       - v*
   pull_request:
 
+permissions:
+  contents: read
+
 env:
   postgis_version: 3
   DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
diff --git a/.github/workflows/trigger-doc-build.yml b/.github/workflows/trigger-doc-build.yml
index 30c6b5fa6..e8783c9e1 100644
--- a/.github/workflows/trigger-doc-build.yml
+++ b/.github/workflows/trigger-doc-build.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - docs
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/EFCore.PG.slnx b/EFCore.PG.slnx
index 8166ab441..02e7db8e6 100644
--- a/EFCore.PG.slnx
+++ b/EFCore.PG.slnx
@@ -11,7 +11,7 @@
   <Folder Name="/Github/">
     <File Path=".github/dependabot.yml" />
     <File Path=".github/workflows/build.yml" />
-    <File Path=".github/workflows/codeql-analysis.yml" />
+    <File Path=".github/workflows/trigger-doc-build.yml" />
   </Folder>
   <Folder Name="/src/">
     <Project Path="src/EFCore.PG.NodaTime/EFCore.PG.NodaTime.csproj" />