From d1662079a7b9627bfd6a9650eb0d2629cf2b1ee1 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Wed, 27 May 2026 11:56:45 +0100
Subject: [PATCH] fix(ci): add SPDX header + permissions to
 comprehensive-quality.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The governance/Workflow-security-linter check fails on every betlang
PR with:

  ERROR: .github/workflows/comprehensive-quality.yml missing SPDX header
  ERROR: .github/workflows/comprehensive-quality.yml missing top-level
         'permissions:' declaration

Fix: add the standard two-line SPDX header at the top of the file
and a top-level `permissions: read-all` declaration. Matches the
header shape used by the other workflow files in this repo (see
test.yml line 1-3 for reference).

`read-all` is the safe minimum — individual jobs can override with
more restrictive permissions if needed. No job in this file currently
writes to the repo, so read-all is sufficient.

After this lands, governance/Workflow-security-linter will pass on
betlang PRs. Combined with #42 (hypatia-scan SHA-pin), #43
(setup-racket SHA-pin), and #44 (TypeScript playground exemption),
this clears the last of the baseline-rot blockers on every betlang
PR.
---
 .github/workflows/comprehensive-quality.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/comprehensive-quality.yml b/.github/workflows/comprehensive-quality.yml
index 7bee8c9..fc59f26 100644
--- a/.github/workflows/comprehensive-quality.yml
+++ b/.github/workflows/comprehensive-quality.yml
@@ -1,4 +1,7 @@
+# SPDX-License-Identifier: MPL-2.0
+# SPDX-FileCopyrightText: 2026 Jonathan D.A. Jewell (hyperpolymath)
 name: Comprehensive Quality Gates
+permissions: read-all
 on:
   push:
     branches: [main, master]