From 7e2b51d96d3339603f3d1b647e051acbfe0eb86f Mon Sep 17 00:00:00 2001
From: Pavlo Filatov <p.filatov@celonis.com>
Date: Fri, 14 Nov 2025 16:11:28 +0100
Subject: [PATCH] Workflow permissions were updated. 'contents: read' was added
 on top level for all main workflows of the repository.

---
 .github/workflows/build-test.yaml    | 3 +++
 .github/workflows/codeql.yml         | 3 +++
 .github/workflows/main.yaml          | 3 +++
 .github/workflows/oauth2.yaml        | 3 +++
 .github/workflows/publish-nuget.yaml | 3 +++
 .github/workflows/publish.yaml       | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
index 0140f3ae03..479e612952 100644
--- a/.github/workflows/build-test.yaml
+++ b/.github/workflows/build-test.yaml
@@ -3,6 +3,9 @@ name: build/test rabbitmq-dotnet-client
 on:
   - workflow_call
 
+permissions:
+  contents: read
+
 jobs:
   build-win32:
     runs-on: windows-latest
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 873dc453d3..7a4516eefa 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -19,6 +19,9 @@ on:
   schedule:
     - cron: '16 4 * * 4'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index bd8de1d335..714590a073 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -10,6 +10,9 @@ on:
       - main
       - 'rabbitmq-dotnet-client-*'
 
+permissions:
+  contents: read
+
 jobs:
   call-build-test:
     uses: ./.github/workflows/build-test.yaml
diff --git a/.github/workflows/oauth2.yaml b/.github/workflows/oauth2.yaml
index 885dd1f531..638283cf75 100644
--- a/.github/workflows/oauth2.yaml
+++ b/.github/workflows/oauth2.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build-test:
     strategy:
diff --git a/.github/workflows/publish-nuget.yaml b/.github/workflows/publish-nuget.yaml
index 6ecc9180ff..be8328dc40 100644
--- a/.github/workflows/publish-nuget.yaml
+++ b/.github/workflows/publish-nuget.yaml
@@ -6,6 +6,9 @@ on:
       NUGET_API_KEY:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   publish-nuget:
     runs-on: windows-latest
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index c01e5451aa..2161d15994 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -6,6 +6,9 @@ on:
       # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#release
       - published
 
+permissions:
+  contents: read
+
 jobs:
   call-build-test:
     uses: ./.github/workflows/build-test.yaml