From 6754c43908863acab3f05180262f195e0b9ad3db Mon Sep 17 00:00:00 2001
From: Saagar <saagarpatelai@gmail.com>
Date: Sun, 17 May 2026 22:12:37 -0700
Subject: [PATCH 1/2] ci: restrict workflow token permissions

---
 .github/workflows/desktop-ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/desktop-ci.yml b/.github/workflows/desktop-ci.yml
index 9f4c63e..0b6debb 100644
--- a/.github/workflows/desktop-ci.yml
+++ b/.github/workflows/desktop-ci.yml
@@ -5,6 +5,9 @@ on:
   push:
     branches: [main, master]
 
+permissions:
+  contents: read
+
 jobs:
   desktop-smoke:
     runs-on: ${{ matrix.os }}

From 83e09884a818dc0e74543c81d9eabce52bd31671 Mon Sep 17 00:00:00 2001
From: Saagar <saagarpatelai@gmail.com>
Date: Sun, 17 May 2026 22:12:38 -0700
Subject: [PATCH 2/2] ci: restrict workflow token permissions

---
 .github/workflows/quality-gates.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/quality-gates.yml b/.github/workflows/quality-gates.yml
index 36d4b0a..3a7176d 100644
--- a/.github/workflows/quality-gates.yml
+++ b/.github/workflows/quality-gates.yml
@@ -5,6 +5,9 @@ on:
   push:
     branches: [main, master]
 
+permissions:
+  contents: read
+
 jobs:
   quality:
     runs-on: ubuntu-latest