From feae3dbc1e2a01b97e423ff6433ce5dc3dc9b75e Mon Sep 17 00:00:00 2001
From: Melissa Kilby <mkilby@apple.com>
Date: Tue, 30 Sep 2025 13:27:57 -0700
Subject: [PATCH] update: set explicit permissions in pull_request github
 workflows

Signed-off-by: Melissa Kilby <mkilby@apple.com>
---
 .github/workflows/pull_request.yml       | 3 +++
 .github/workflows/pull_request_label.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 3b6f3e3..900a3d7 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [opened, reopened, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   soundness:
     name: Soundness
diff --git a/.github/workflows/pull_request_label.yml b/.github/workflows/pull_request_label.yml
index 8fd47c1..1fe3c14 100644
--- a/.github/workflows/pull_request_label.yml
+++ b/.github/workflows/pull_request_label.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [labeled, unlabeled, opened, reopened, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   semver-label-check:
     name: Semantic version label check