From 2f1e92fec3f52b454b02e21c75d148f611501ed2 Mon Sep 17 00:00:00 2001
From: Melissa Kilby <mkilby@apple.com>
Date: Fri, 17 Oct 2025 14:32:28 -0700
Subject: [PATCH] chore: restrict GitHub workflow permissions - future-proof

Signed-off-by: Melissa Kilby <mkilby@apple.com>
---
 .github/workflows/build.yml | 2 ++
 .github/workflows/main.yml  | 2 ++
 .github/workflows/prb.yml   | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4735a0ac5c..9d128c7e1e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,6 +2,8 @@
 # This file was generated from a template using https://github.com/StefMa/pkl-gha
 
 name: Build
+permissions:
+  contents: read
 'on':
   push:
     branches-ignore:
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 8fdd4055a7..19cbf31b83 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -2,6 +2,8 @@
 # This file was generated from a template using https://github.com/StefMa/pkl-gha
 
 name: Build (main)
+permissions:
+  contents: read
 'on':
   push:
     branches:
diff --git a/.github/workflows/prb.yml b/.github/workflows/prb.yml
index 067424d702..84eabd0bb5 100644
--- a/.github/workflows/prb.yml
+++ b/.github/workflows/prb.yml
@@ -2,6 +2,8 @@
 # This file was generated from a template using https://github.com/StefMa/pkl-gha
 
 name: Pull Request
+permissions:
+  contents: read
 'on':
   pull_request: {}
 jobs: