From 40cb349e81c2dcb6f5cbc723fe113fde0f3e8ecf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= <cjeanner@redhat.com>
Date: Mon, 23 Mar 2026 09:01:40 +0100
Subject: [PATCH] Add workflow permissions to YAML lint workflow

Declare explicit contents: read on the file-consistency GitHub Actions
workflow so GITHUB_TOKEN uses least privilege and satisfies CodeQL
rule actions/missing-workflow-permissions.

Resolves the public code scanning alert for missing workflow
permissions metadata (alert #1) in this repository.

AI-Assistance: Cursor IDE, Agent mode, Composer model.
Collaboration: standard human/AI workflow; human review and approval
before commit.
Security: addresses GitHub CodeQL finding on CI workflow permissions;
no production secrets or credentials involved.

Made-with: Cursor
---
 .github/workflows/yamllint.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml
index d3cdd91..2d0e193 100644
--- a/.github/workflows/yamllint.yml
+++ b/.github/workflows/yamllint.yml
@@ -1,5 +1,7 @@
 ---
 name: file-consistency
+permissions:
+  contents: read
 on:  # yamllint disable-line rule:truthy
   pull_request:
     branches: