From 64fcbeced678c3eebc25ae40cf5f0ba82f89de92 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 27 Dec 2025 03:52:17 +0000
Subject: [PATCH] Add workflow permissions for security

- Add explicit permissions block to restrict GITHUB_TOKEN
- Set contents: read permission (minimum required)
- Addresses CodeQL security alert

Co-authored-by: johndoe6345789 <224850594+johndoe6345789@users.noreply.github.com>
---
 .github/workflows/build.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0829085..b1008b1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -18,6 +18,10 @@ on:
         default: 'linux,macos,windows'
         type: string
 
+# Restrict GITHUB_TOKEN permissions for security
+permissions:
+  contents: read
+
 jobs:
   # Pre-build checks - fast failure for common issues
   lint: