From 33d4ed5a8c43d2531328517ae105b7799dde82e2 Mon Sep 17 00:00:00 2001
From: arpitjain099 <arpitjain099@gmail.com>
Date: Wed, 13 May 2026 11:41:18 +0000
Subject: [PATCH] ci: pin contents: read on e2e-license-site, validate-csv,
 validate-exceptions

All three workflows are read-only PR checks (playwright e2e for the
license-exceptions site, CSV format validation, and JSON Schema
validation). No GitHub API writes.

Signed-off-by: arpitjain099 <arpitjain099@gmail.com>
---
 .github/workflows/e2e-license-site.yml    | 3 +++
 .github/workflows/validate-csv.yml        | 3 +++
 .github/workflows/validate-exceptions.yml | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/e2e-license-site.yml b/.github/workflows/e2e-license-site.yml
index 0a9b3b21..b2bc4383 100644
--- a/.github/workflows/e2e-license-site.yml
+++ b/.github/workflows/e2e-license-site.yml
@@ -9,6 +9,9 @@ on:
       - 'license-exceptions/playwright.config.js'
       - 'license-exceptions/package.json'
 
+permissions:
+  contents: read
+
 jobs:
   e2e-tests:
     name: Run E2E Tests
diff --git a/.github/workflows/validate-csv.yml b/.github/workflows/validate-csv.yml
index 70e4f6f0..0679e487 100644
--- a/.github/workflows/validate-csv.yml
+++ b/.github/workflows/validate-csv.yml
@@ -5,6 +5,9 @@ on:
     paths:
       - "project-maintainers.csv"
 
+permissions:
+  contents: read
+
 jobs:
   validate-csv:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/validate-exceptions.yml b/.github/workflows/validate-exceptions.yml
index aef02c62..c046738a 100644
--- a/.github/workflows/validate-exceptions.yml
+++ b/.github/workflows/validate-exceptions.yml
@@ -6,6 +6,9 @@ on:
       - 'license-exceptions/exceptions.json'
       - 'license-exceptions/schema/**'
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     runs-on: ubuntu-latest