From 1aec0339203ab79476003deba3e92cc658a2ce45 Mon Sep 17 00:00:00 2001
From: arpitjain099 <arpitjain099@gmail.com>
Date: Wed, 13 May 2026 10:42:43 +0000
Subject: [PATCH] ci(semgrep): pin contents: read on the daily scan

The Semgrep scheduled scan only checks out the repo and runs
`semgrep ci` inside the official semgrep container, so the default
GITHUB_TOKEN doesn't need any write scopes. This is the only workflow
in this repo and the top-level permissions style matches other
cloudflare/* repos (e.g. cloudflare/cloudflare-docs).

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/semgrep.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index f3f84c4c5..8100abeb1 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -3,6 +3,8 @@ on:
   schedule:
     - cron: '0 0 * * *'
 name: Semgrep config
+permissions:
+  contents: read
 jobs:
   semgrep:
     name: semgrep/ci