From e040088b041f945215f110b360b71ca68d067bad Mon Sep 17 00:00:00 2001
From: Jake Bromberg <jake@funlandresearch.com>
Date: Tue, 12 May 2026 09:53:30 -0700
Subject: [PATCH] ci: declare workflow-level GITHUB_TOKEN permissions

Adds an explicit top-level `permissions:` block to every workflow so the GITHUB_TOKEN runs with a least-privilege default instead of inheriting whatever the repo-wide default happens to be. Behavior-neutral today but pins the safe posture in code so future jobs can't silently inherit write scopes.

Per-workflow scope:
- `pr-open.yml`: contents: read

Part of the org-wide GitHub Actions hardening project (Phase 3).
---
 .github/workflows/pr-open.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml
index 854e16fa..29574179 100644
--- a/.github/workflows/pr-open.yml
+++ b/.github/workflows/pr-open.yml
@@ -7,6 +7,12 @@ concurrency:
   group: pr-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+# Workflow-level GITHUB_TOKEN scope. No job in this file pushes code,
+# comments on PRs, or creates releases; all writes to external services
+# use their own non-GITHUB_TOKEN secrets. contents:read is the safe floor.
+permissions:
+  contents: read
+
 jobs:
   # Build job
   build: