From 0f4b923e77eebd8f54b73d1adc07bfad6cb18f6e Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Fri, 7 Nov 2025 05:15:55 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/actions-lint.yaml | 3 +++
 .github/workflows/pr-scan.yaml      | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/actions-lint.yaml b/.github/workflows/actions-lint.yaml
index 4642579..6f616f5 100644
--- a/.github/workflows/actions-lint.yaml
+++ b/.github/workflows/actions-lint.yaml
@@ -19,6 +19,9 @@ name: Lint/Validate Github Actions files
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   lint_validate_actions:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-scan.yaml b/.github/workflows/pr-scan.yaml
index 2509f19..01d8e43 100644
--- a/.github/workflows/pr-scan.yaml
+++ b/.github/workflows/pr-scan.yaml
@@ -40,6 +40,9 @@ on:
         type: boolean
         default: true
 
+permissions:
+  contents: read
+
 jobs:
   scan:
     runs-on: ${{ inputs.runs-on }}