From fcf96d74be48019b8e6743de07001d6f38e8386f Mon Sep 17 00:00:00 2001
From: arpitjain099 <arpitjain099@gmail.com>
Date: Wed, 13 May 2026 10:43:15 +0000
Subject: [PATCH] ci(semgrep): declare contents: read

Drops the default `GITHUB_TOKEN` scope down to read-only for the only
workflow in the repo. Semgrep findings are reported to Cloudflare's
internal Semgrep instance via `SEMGREP_APP_TOKEN`, so the GitHub token
only needs to read the checkout.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/semgrep.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index c821e5a..9eb67a3 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -9,6 +9,8 @@ on:
   schedule:
     - cron: '0 0 * * *'
 name: Semgrep config
+permissions:
+  contents: read
 jobs:
   semgrep:
     name: semgrep/ci