From 829c376049ef56092f89d7f4806630bfcb36e4f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christoph=20St=C3=A4bler?= <cstabler@redhat.com>
Date: Tue, 26 May 2026 08:54:15 +0200
Subject: [PATCH] fix: add explicit permissions to GitHub Actions workflows

Restrict GITHUB_TOKEN to read-only access in workflows that were
missing a permissions block, as flagged by CodeQL (CWE-275).
---
 .github/workflows/lint.yml            | 3 +++
 .github/workflows/test-e2e-bundle.yml | 3 +++
 .github/workflows/test-e2e.yml        | 3 +++
 .github/workflows/test.yml            | 3 +++
 .github/workflows/verify-codegen.yml  | 3 +++
 5 files changed, 15 insertions(+)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index cb167f3..932f2e7 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/test-e2e-bundle.yml b/.github/workflows/test-e2e-bundle.yml
index 603580b..f52489c 100644
--- a/.github/workflows/test-e2e-bundle.yml
+++ b/.github/workflows/test-e2e-bundle.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml
index 497dd86..98a473a 100644
--- a/.github/workflows/test-e2e.yml
+++ b/.github/workflows/test-e2e.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a825721..b11073d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/verify-codegen.yml b/.github/workflows/verify-codegen.yml
index 61d3ec0..5096df4 100644
--- a/.github/workflows/verify-codegen.yml
+++ b/.github/workflows/verify-codegen.yml
@@ -5,6 +5,9 @@ on:
   workflow_dispatch:
   merge_group:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true