From 3432f7c5a2ac00bb473575423d9414d33be28fa4 Mon Sep 17 00:00:00 2001
From: rwv <7891383+rwv@users.noreply.github.com>
Date: Tue, 31 Dec 2024 11:45:10 +0800
Subject: [PATCH] ci: set explicit permissions for jobs (#16)

---
 .github/workflows/ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 582ec16..0ac4bf1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,6 +12,8 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -60,6 +62,8 @@ jobs:
   deploy-to-cloudflare-pages-staging:
     name: Deploy to Cloudflare Pages Staging
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs:
       - build
 
@@ -102,6 +106,8 @@ jobs:
   deploy-to-cloudflare-pages:
     name: Deploy to Cloudflare Pages
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs:
       - build
     if: github.event_name == 'release'