From d52c5d90af2b9a9935d1e6641e0c664e36eb14d7 Mon Sep 17 00:00:00 2001
From: Only <only@castudio.org>
Date: Sun, 17 May 2026 08:54:20 +0800
Subject: [PATCH 1/2] Fix: Add explicit permissions block to follow
 least-privilege principle

GitHub code-scanning alert #1: workflow inherits default broad permissions.
Add explicit permissions: contents:read to follow least-privilege best practice.
---
 .github/workflows/build.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 056dd80..05d0066 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,6 +2,9 @@ name: Build
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: windows-latest

From a9b0d242bfd5eeeb455c85627abdcfd4977419d7 Mon Sep 17 00:00:00 2001
From: Only <only@castudio.org>
Date: Sun, 17 May 2026 09:37:22 +0800
Subject: [PATCH 2/2] Fix: Update runner to windows-2025-vs2026

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 05d0066..2b0dfbf 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -7,7 +7,7 @@ permissions:
 
 jobs:
   build:
-    runs-on: windows-latest
+    runs-on: windows-2025-vs2026
 
     steps:
     - uses: actions/checkout@v2