From a7c35c40e1d04e5073d7e34018b80c198d1d81aa Mon Sep 17 00:00:00 2001
From: ivegamsft <ivegamsft@users.noreply.github.com>
Date: Thu, 16 Apr 2026 14:37:38 -0400
Subject: [PATCH] fix: add explicit permissions to validate workflows

Add top-level permissions block (contents: read) to validate-basecoat.yml
and validate-repo-template-sample.yml to resolve CodeQL code scanning
alerts #1-#4 (actions/missing-workflow-permissions).

The other two workflows (package-basecoat.yml and prd-spec-gate.yml)
already have appropriate permissions blocks.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/validate-basecoat.yml             | 3 +++
 .github/workflows/validate-repo-template-sample.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/validate-basecoat.yml b/.github/workflows/validate-basecoat.yml
index 39b7bfd..d39ef4f 100644
--- a/.github/workflows/validate-basecoat.yml
+++ b/.github/workflows/validate-basecoat.yml
@@ -8,6 +8,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   validate-commit-messages:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/validate-repo-template-sample.yml b/.github/workflows/validate-repo-template-sample.yml
index b1254b1..e4e505a 100644
--- a/.github/workflows/validate-repo-template-sample.yml
+++ b/.github/workflows/validate-repo-template-sample.yml
@@ -7,6 +7,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   validate-sample-template:
     runs-on: ubuntu-latest