From e0b2c5ea877148709c237765106cbe3d70fe89f5 Mon Sep 17 00:00:00 2001
From: Melissa Kilby <mkilby@apple.com>
Date: Fri, 10 Oct 2025 16:47:16 -0700
Subject: [PATCH] chore: restrict GitHub workflow permissions - future-proof

Signed-off-by: Melissa Kilby <mkilby@apple.com>
---
 .github/workflows/main_using_main.yml    | 3 +++
 .github/workflows/main_using_release.yml | 3 +++
 .github/workflows/pull_request.yml       | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/main_using_main.yml b/.github/workflows/main_using_main.yml
index 963a6728c..dbf27c0f4 100644
--- a/.github/workflows/main_using_main.yml
+++ b/.github/workflows/main_using_main.yml
@@ -1,5 +1,8 @@
 name: main branch, main toolchain
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/main_using_release.yml b/.github/workflows/main_using_release.yml
index 151e94874..b861be1f8 100644
--- a/.github/workflows/main_using_release.yml
+++ b/.github/workflows/main_using_release.yml
@@ -1,5 +1,8 @@
 name: main branch, 6.2 toolchain
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 19725c9da..084fd1d87 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -1,5 +1,8 @@
 name: Pull request
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [opened, reopened, synchronize]