From a75e6fc38d3162ade88aba8c8e99add59c6fefd0 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Tue, 2 Jun 2026 10:19:18 +0900
Subject: [PATCH] chore(ci): set top-level permissions on workflows

Set an explicit least-privilege permissions block so the workflow GITHUB_TOKEN is scoped to contents: read instead of inheriting the repository default.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/ci_tests_run_notebooks.yml        | 3 +++
 .github/workflows/circleci-artifacts-redirector.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/ci_tests_run_notebooks.yml b/.github/workflows/ci_tests_run_notebooks.yml
index b2b6dafb..68ecf4b1 100644
--- a/.github/workflows/ci_tests_run_notebooks.yml
+++ b/.github/workflows/ci_tests_run_notebooks.yml
@@ -11,6 +11,9 @@ on:
     - cron: '0 5 * * 1'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: ${{ matrix.os }} ${{ matrix.name }}
diff --git a/.github/workflows/circleci-artifacts-redirector.yml b/.github/workflows/circleci-artifacts-redirector.yml
index f24efe72..be06f6fb 100644
--- a/.github/workflows/circleci-artifacts-redirector.yml
+++ b/.github/workflows/circleci-artifacts-redirector.yml
@@ -1,5 +1,8 @@
 name: Run CircleCI artifacts redirector for rendered HTML
 on: [status]
+permissions:
+  contents: read
+
 jobs:
    circleci_artifacts_redirector_job:
      runs-on: ubuntu-latest