From ed007f30fac732fcd66cb4a0d3e2578841e6fcc9 Mon Sep 17 00:00:00 2001
From: Kevin Liu <kevin.jq.liu@gmail.com>
Date: Sun, 22 Feb 2026 17:33:22 -0800
Subject: [PATCH] add explicit permissions

---
 .github/workflows/codeql.yml        | 4 ++++
 .github/workflows/license_check.yml | 3 +++
 .github/workflows/pre-commit.yml    | 3 +++
 3 files changed, 10 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index a16483a38..c48d7ddd3 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -29,11 +29,15 @@ on:
   schedule:
     - cron: '16 4 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze Actions
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       security-events: write
       packages: read
 
diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml
index df5aff850..116895b07 100644
--- a/.github/workflows/license_check.yml
+++ b/.github/workflows/license_check.yml
@@ -19,6 +19,9 @@ name: "Run License Check"
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   license-check:
     name: "License Check"
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index ef18b855d..4ab53a4de 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -24,6 +24,9 @@ on:
       - '**'
       - '!dependabot/**'
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-24.04