From 502f641bbbe7ef206d3f2a4bb439a84a4ce41b86 Mon Sep 17 00:00:00 2001
From: Stephen Morgan <stephen@doublethink.co.nz>
Date: Wed, 23 Jul 2025 01:45:38 +1200
Subject: [PATCH] ci: explicit permissions on actions (#326)

---
 .github/workflows/check-dist.yml | 4 ++++
 .github/workflows/start.yml      | 3 +++
 .github/workflows/test.yml       | 3 +++
 3 files changed, 10 insertions(+)

diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml
index f69123a..a6f841d 100644
--- a/.github/workflows/check-dist.yml
+++ b/.github/workflows/check-dist.yml
@@ -16,6 +16,10 @@ on:
       - '**.md'
   workflow_dispatch:
 
+permissions:
+  contents: read
+  actions: write
+
 jobs:
   check-dist:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/start.yml b/.github/workflows/start.yml
index 00f57ec..a2e2155 100644
--- a/.github/workflows/start.yml
+++ b/.github/workflows/start.yml
@@ -14,6 +14,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   e2e: # make sure the action works on a clean machine without building
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a4c4ec1..c76264b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -5,6 +5,9 @@ on: # rebuild any PRs and main branch changes
     branches:
       - main
 
+permissions:
+  contents: read
+
 defaults:
   run:
     shell: bash