From f92e2ca1726ba0517d7b0a1e56d0c8b9f49400e1 Mon Sep 17 00:00:00 2001
From: =?utf8?q?J=C3=A9r=C3=B4me=20Benoit?= <jerome.benoit@piment-noir.org>
Date: Fri, 15 May 2026 13:27:04 +0200
Subject: [PATCH] ci: set explicit GITHUB_TOKEN read-only permissions

---
 .github/workflows/ci.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b9fed035..03f85a8e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,10 @@ on:
     types: [opened, synchronize, reopened]
   merge_group:
     branches: [main]
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   check-secrets:
     runs-on: ubuntu-latest
-- 
2.43.0