From f2ab2a96bc6a6cc99734f472873191ad68f7bd14 Mon Sep 17 00:00:00 2001
From: Ryan <ryantl66@gmail.com>
Date: Thu, 9 Oct 2025 00:09:27 -0400
Subject: [PATCH] CI: set least-privileged GITHUB_TOKEN (permissions: contents:
 read)

---
 .github/workflows/ci.yml             | 6 ++++--
 .github/workflows/sync-changelog.yml | 1 -
 docker-compose.yml                   | 1 -
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7dfb3bc..7a973dc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ name: CI
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
@@ -62,7 +65,7 @@ jobs:
         with:
           dockerfile: Dockerfile
           failure-threshold: error
-          ignore: DL3008,DL3059 
+          ignore: DL3008,DL3059
 
   sanity:
     runs-on: ubuntu-latest
@@ -87,4 +90,3 @@ jobs:
           else
             echo "No YAML files."
           fi
-          
\ No newline at end of file
diff --git a/.github/workflows/sync-changelog.yml b/.github/workflows/sync-changelog.yml
index c7c3a6f..4550c73 100644
--- a/.github/workflows/sync-changelog.yml
+++ b/.github/workflows/sync-changelog.yml
@@ -42,4 +42,3 @@ jobs:
             git commit -m "chore: sync CHANGELOG.md from FileRise"
             git push origin main
           fi
-          
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 2441708..47cf59a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -41,4 +41,3 @@ services:
       timeout: 5s
       retries: 3
       start_period: 20s
-      
\ No newline at end of file