From 0952d5a99e73311804868777df37ebc6bf4a652f Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Wed, 13 May 2026 08:46:53 +0000
Subject: [PATCH] ci: declare permissions on build-check and codeql-analysis

build-check.yml: pure CI matrix compile - contents: read.

codeql-analysis.yml: github/codeql-action workflows need
  actions: read
  contents: read
  security-events: write  (SARIF upload)
which is the standard scope set for any CodeQL workflow.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/build-check.yml     | 3 +++
 .github/workflows/codeql-analysis.yml | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/build-check.yml b/.github/workflows/build-check.yml
index b9096601..fd17458b 100644
--- a/.github/workflows/build-check.yml
+++ b/.github/workflows/build-check.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   compile:
     strategy:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index e38d408b..fc85e589 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -12,6 +12,11 @@ concurrency:
   group: codeql-${{ github.ref_name }}
   cancel-in-progress: true
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write   # github/codeql-action/upload posts SARIF results
+
 jobs:
   codeql-analyze:
     runs-on: ubuntu-latest