From 0ada1c4e191e2524eb31da0c6611c5c6b520f26f Mon Sep 17 00:00:00 2001
From: Morgan Epp <60796713+epmog@users.noreply.github.com>
Date: Thu, 2 Apr 2026 12:31:17 -0500
Subject: [PATCH] fix: codeql doesn't have read permissions for private repos

Signed-off-by: Morgan Epp <60796713+epmog@users.noreply.github.com>
---
 .github/workflows/codeql.yml          | 1 +
 .github/workflows/reusable_codeql.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 387d74d7..da7cdb66 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -13,5 +13,6 @@ jobs:
     name: Analysis
     uses: ./.github/workflows/reusable_codeql.yml
     permissions:
+      contents: read
       security-events: write
 
diff --git a/.github/workflows/reusable_codeql.yml b/.github/workflows/reusable_codeql.yml
index 7696960c..6dd0da97 100644
--- a/.github/workflows/reusable_codeql.yml
+++ b/.github/workflows/reusable_codeql.yml
@@ -19,6 +19,7 @@ jobs:
     name: Analyze (${{inputs.languages}})
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       # required for all workflows
       security-events: write
     steps: