From 3f1c2179475aae663f2f1ed205a4075d7f85fb02 Mon Sep 17 00:00:00 2001
From: Melissa Kilby <mkilby@apple.com>
Date: Fri, 10 Oct 2025 16:39:28 -0700
Subject: [PATCH] chore: restrict GitHub workflow permissions - future-proof

Signed-off-by: Melissa Kilby <mkilby@apple.com>
---
 .github/workflows/nightly.yml      | 3 +++
 .github/workflows/pull_request.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index e7a3542df..def088e63 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -1,5 +1,8 @@
 name: Nightly
 
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: "0 0 * * *"
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 2fe92c5d8..00b679852 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -1,5 +1,8 @@
 name: Pull request
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [opened, reopened, synchronize]