From 68cf02e9897248cd389f52ca65a661a546c75d4b Mon Sep 17 00:00:00 2001
From: Krishna Sreeraj <krishnasreerajkp99@gmail.com>
Date: Sun, 26 Oct 2025 15:07:23 +0530
Subject: [PATCH] [#180] | Krishna | Add explicit GITHUB_TOKEN permissions in
 CI workflows

---
 .github/workflows/ci.yml             | 3 +++
 .github/workflows/lint-job.yml       | 3 +++
 .github/workflows/pr.yml             | 4 ++++
 .github/workflows/test-job.yml       | 3 +++
 .github/workflows/trivy-scan-job.yml | 3 +++
 .github/workflows/typecheck-job.yml  | 3 +++
 6 files changed, 19 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fa01c0b..788343c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: write
+
 jobs:
   lint:
     uses: ./.github/workflows/lint-job.yml
diff --git a/.github/workflows/lint-job.yml b/.github/workflows/lint-job.yml
index 32abdfa..4015fc5 100644
--- a/.github/workflows/lint-job.yml
+++ b/.github/workflows/lint-job.yml
@@ -3,6 +3,9 @@ name: Lint Job
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 8c73450..3bbae4a 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -4,6 +4,10 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   lint:
     uses: ./.github/workflows/lint-job.yml
diff --git a/.github/workflows/test-job.yml b/.github/workflows/test-job.yml
index abb3b89..832a991 100644
--- a/.github/workflows/test-job.yml
+++ b/.github/workflows/test-job.yml
@@ -3,6 +3,9 @@ name: Test Job
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/trivy-scan-job.yml b/.github/workflows/trivy-scan-job.yml
index d20073c..6f5aa06 100644
--- a/.github/workflows/trivy-scan-job.yml
+++ b/.github/workflows/trivy-scan-job.yml
@@ -3,6 +3,9 @@ name: Trivy Scan Job
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   trivy-scan:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/typecheck-job.yml b/.github/workflows/typecheck-job.yml
index e63cba9..f722b1d 100644
--- a/.github/workflows/typecheck-job.yml
+++ b/.github/workflows/typecheck-job.yml
@@ -3,6 +3,9 @@ name: Typecheck Job
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   typecheck:
     runs-on: ubuntu-latest