From be1e076a0899891a69f49e2399179c48840cdf8f Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulip.com>
Date: Mon, 8 Dec 2025 15:26:08 -0800
Subject: [PATCH] workflows: Restrict GitHub permissions.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
---
 .github/workflows/zulip-ci.yml    | 3 +++
 .github/workflows/zulip-tests.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/zulip-ci.yml b/.github/workflows/zulip-ci.yml
index e1f8ba9ed..175d4a308 100644
--- a/.github/workflows/zulip-ci.yml
+++ b/.github/workflows/zulip-ci.yml
@@ -7,6 +7,9 @@ name: Zulip server CI
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 defaults:
   run:
     shell: bash
diff --git a/.github/workflows/zulip-tests.yml b/.github/workflows/zulip-tests.yml
index 57bfa10d2..5e3c46353 100644
--- a/.github/workflows/zulip-tests.yml
+++ b/.github/workflows/zulip-tests.yml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   static-analysis:
     runs-on: ubuntu-latest