From bd74ca6c1216b7e7a6826965a8210937c2db0c62 Mon Sep 17 00:00:00 2001
From: Jozef Izso <izso@cisco.com>
Date: Sat, 21 Mar 2026 14:14:22 +0100
Subject: [PATCH] Explicitly use lowest permissions required to run workflow

---
 .github/workflows/check-dist.yml  | 3 +++
 .github/workflows/ci.yml          | 3 +++
 .github/workflows/manual-run.yml  | 3 +++
 .github/workflows/test-report.yml | 4 ++++
 4 files changed, 13 insertions(+)

diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml
index 834ac22..32fcfe4 100644
--- a/.github/workflows/check-dist.yml
+++ b/.github/workflows/check-dist.yml
@@ -16,6 +16,9 @@ on:
       - '**.md'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check-dist:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8a54fc1..f00c141 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build-test:
     name: Build & Test
diff --git a/.github/workflows/manual-run.yml b/.github/workflows/manual-run.yml
index c1875a9..417eae6 100644
--- a/.github/workflows/manual-run.yml
+++ b/.github/workflows/manual-run.yml
@@ -3,6 +3,9 @@ name: Manual run
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check-dist:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test-report.yml b/.github/workflows/test-report.yml
index 11b266a..eb27dbf 100644
--- a/.github/workflows/test-report.yml
+++ b/.github/workflows/test-report.yml
@@ -6,6 +6,10 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   report:
     name: Workflow test