From d0678791f945e8183766b6ad72b5c2127877626b Mon Sep 17 00:00:00 2001
From: Dominic Byrd-McDevitt <mcdevitd@gmail.com>
Date: Sat, 14 Mar 2026 03:31:13 -0400
Subject: [PATCH] Add explicit permissions blocks to GitHub Actions workflows

Fixes 3 CodeQL code scanning alerts (actions/missing-workflow-permissions).
All three workflows only need read access to repository contents;
AWS credentials are supplied via repository secrets, not GITHUB_TOKEN.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/deploy-staging.yml | 3 +++
 .github/workflows/deploy.yml         | 3 +++
 .github/workflows/scala.yml          | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 49bf8dd..c486515 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -2,6 +2,9 @@ name: Staging Deploy to Amazon ECR
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     name: Deploy Staging
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 804a05d..3411fe8 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -2,6 +2,9 @@ name: Deploy to Amazon ECR
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
 
   deploy:
diff --git a/.github/workflows/scala.yml b/.github/workflows/scala.yml
index 8f00df1..f3b53c5 100644
--- a/.github/workflows/scala.yml
+++ b/.github/workflows/scala.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build: