From d405ff4b2bb489e45a987b859b8a7f7215971a6a Mon Sep 17 00:00:00 2001
From: Daniel Volz <mail@danielvolz.org>
Date: Tue, 30 Dec 2025 13:03:24 +0100
Subject: [PATCH] ci: add explicit permissions to workflows

Fixes CodeQL 'Workflow does not contain permissions' warnings.
Sets minimal 'contents: read' at top level.
---
 .github/workflows/docker-build.yml | 4 ++++
 .github/workflows/test.yml         | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 5382d2a..3b6ed7c 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -11,6 +11,10 @@ on:
         required: false
         default: ''
 
+# Default minimal permissions
+permissions:
+  contents: read
+
 env:
   REGISTRY: ghcr.io
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 4652009..c85299f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -4,6 +4,10 @@ on:
   pull_request:
     branches: [main]
 
+# Minimal permissions for security
+permissions:
+  contents: read
+
 jobs:
   # =============================================================================
   # Backend Tests