From 3f780768650cf8a55d2f7310f09c7a936cf0ae16 Mon Sep 17 00:00:00 2001
From: Shulhan <ms@kilabit.info>
Date: Sun, 15 Feb 2026 12:53:54 +0700
Subject: .github: set permissions contents to read

If a GitHub Actions job or workflow has no explicit permissions set,
then the repository permissions are used.
Repositories created under organizations inherit the organization
permissions.
The organizations or repositories created before February 2023 have the
default permissions set to read-write.

Often these permissions do not adhere to the principle of least
privilege and can be reduced to read-only, leaving the write permission
only to a specific types as "issues: write" or "pull-requests: write".
---
 .github/workflows/go.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index a5ac4f4e..d4e64ca1 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -1,8 +1,9 @@
-# SPDX-FileCopyrightText: 2019 M. Shulhan <ms@kilabit.info>
-#
 # SPDX-License-Identifier: BSD-3-Clause
+# SPDX-FileCopyrightText: 2019 M. Shulhan <ms@kilabit.info>
 
 name: Go1.25.0
+permissions:
+  contents: read
 on: [push]
 jobs:
   build:
-- 
cgit v1.3