From a402b48cb91343bae3f6dbe297fa27813c0d69bd Mon Sep 17 00:00:00 2001
From: Tejas Kashinath <tkashina@amazon.com>
Date: Thu, 12 Feb 2026 17:25:06 -0500
Subject: [PATCH] fix: add explicit permissions to CI workflows

Add top-level `permissions: contents: read` to build-and-test and lint
workflows to restrict GITHUB_TOKEN scope. Resolves code scanning alerts
for missing workflow permissions.
---
 .github/workflows/build-and-test.yml | 3 +++
 .github/workflows/lint.yml           | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
index 6684071e0..baf888f33 100644
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: ['main']
 
+permissions:
+  contents: read
+
 # Cancel in-progress runs when a new commit is pushed
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index c1e8bdeef..377464de9 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: ['main']
 
+permissions:
+  contents: read
+
 # Cancel in-progress runs when a new commit is pushed
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}