From 342051e34303226d2027296f1935125469384577 Mon Sep 17 00:00:00 2001
From: Alb3e3 <74142887+Alb3e3@users.noreply.github.com>
Date: Fri, 12 Jun 2026 00:28:47 +0200
Subject: [PATCH] ci: add read-only workflow token permissions

Set explicit, least-privilege GitHub Actions token permissions for the CI, Coverity, Doxygen, and SSL library test workflows.

The build and test jobs only need repository contents read access. The Doxygen deploy job already declares its Pages and OIDC permissions at the job level, so the workflow default can stay read-only.
---
 .github/workflows/build.yaml        | 3 +++
 .github/workflows/coverity-scan.yml | 3 +++
 .github/workflows/doxygen.yml       | 3 +++
 .github/workflows/test-ssllib.yml   | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 4cab0acc9be..3a64afc7c22 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -4,6 +4,9 @@ on:
   push:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   clang-format:
     name: Check code style with clang-format
diff --git a/.github/workflows/coverity-scan.yml b/.github/workflows/coverity-scan.yml
index 105f23e81b9..1bff2f23709 100644
--- a/.github/workflows/coverity-scan.yml
+++ b/.github/workflows/coverity-scan.yml
@@ -4,6 +4,9 @@ on:
     - cron: '0 20 * * *' # Daily at 20:00 UTC
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   latest:
     # Running coverity requires the secrets.COVERITY_SCAN_TOKEN token
diff --git a/.github/workflows/doxygen.yml b/.github/workflows/doxygen.yml
index 3755b92cf58..86ee0811001 100644
--- a/.github/workflows/doxygen.yml
+++ b/.github/workflows/doxygen.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches: ["master"]
   workflow_dispatch:
+permissions:
+  contents: read
+
 concurrency:
   group: "pages"
   cancel-in-progress: false
diff --git a/.github/workflows/test-ssllib.yml b/.github/workflows/test-ssllib.yml
index d8178a72578..5044e36549e 100644
--- a/.github/workflows/test-ssllib.yml
+++ b/.github/workflows/test-ssllib.yml
@@ -1,5 +1,8 @@
 name: test_ssllib
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs: