From ba55e1fbc1eea2e2cb45a499cafe608176bf25a2 Mon Sep 17 00:00:00 2001
From: Zaiidmo <zaiidmoumnii@gmail.com>
Date: Wed, 21 Jan 2026 11:44:51 +0100
Subject: [PATCH 1/2] ops: update frontend-cd

---
 .github/workflows/frontend-cd.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/frontend-cd.yml b/.github/workflows/frontend-cd.yml
index 562d79c..b00a6e3 100644
--- a/.github/workflows/frontend-cd.yml
+++ b/.github/workflows/frontend-cd.yml
@@ -2,8 +2,6 @@ name: CD - Frontend (S3 + CloudFront Deploy) [Manual]
 
 on:
     workflow_dispatch:
-
-    # Enable later (when frontend is real + you want auto deploy on merge to master)
     push:
       branches: [master]
       paths:
@@ -74,7 +72,6 @@ jobs:
                   echo "bucket_name=$BUCKET_NAME" >> "$GITHUB_OUTPUT"
                   echo "distribution_id=$DIST_ID" >> "$GITHUB_OUTPUT"
 
-            # Frontend build is placeholder for now.
             # This will only run once frontend/package.json exists.
             - name: Setup Node
               if: steps.fe.outputs.exists == 'true'

From ddc6de4431ac16dfdd7c4fb3954c748915a06dda Mon Sep 17 00:00:00 2001
From: Zaiidmo <zaiidmoumnii@gmail.com>
Date: Wed, 21 Jan 2026 12:32:30 +0100
Subject: [PATCH 2/2] ops: update workflow permissions

---
 .github/workflows/backend-ci.yml  | 2 ++
 .github/workflows/cdk-synth.yml   | 2 ++
 .github/workflows/frontend-ci.yml | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/.github/workflows/backend-ci.yml b/.github/workflows/backend-ci.yml
index 66c69b5..fb92a7c 100644
--- a/.github/workflows/backend-ci.yml
+++ b/.github/workflows/backend-ci.yml
@@ -13,6 +13,8 @@ concurrency:
   group: ci-backend-pr-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
 jobs:
   backend:
     name: backend checks
diff --git a/.github/workflows/cdk-synth.yml b/.github/workflows/cdk-synth.yml
index dabbeea..16ce84a 100644
--- a/.github/workflows/cdk-synth.yml
+++ b/.github/workflows/cdk-synth.yml
@@ -13,6 +13,8 @@ concurrency:
   group: ci-infra-synth-pr-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
 jobs:
   synth:
     name: cdk synth (localSynth)
diff --git a/.github/workflows/frontend-ci.yml b/.github/workflows/frontend-ci.yml
index 7149396..7db8caf 100644
--- a/.github/workflows/frontend-ci.yml
+++ b/.github/workflows/frontend-ci.yml
@@ -13,6 +13,8 @@ concurrency:
   group: ci-frontend-pr-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
 jobs:
   frontend:
     name: frontend checks