From e484029d5333db54eb6f423625a26f4593831c4c Mon Sep 17 00:00:00 2001
From: Koichi ITO <koic.ito@gmail.com>
Date: Tue, 13 Jan 2026 03:06:05 +0900
Subject: [PATCH] Add explicit permissions to CI workflow

Set minimal `contents: read` permission following the principle of least privilege.
This prevents using overly permissive repository defaults.
---
 .github/workflows/ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f4496be..9077935 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,8 @@ on: [push, pull_request]
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         entry:
@@ -27,6 +29,8 @@ jobs:
 
   rubocop:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     name: RuboCop
     steps:
       - uses: actions/checkout@v6
@@ -38,6 +42,8 @@ jobs:
 
   yard:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     name: YARD Documentation
     steps:
       - uses: actions/checkout@v6