From 7e1dcabac4298bd4cf138b35d648e6f457146c04 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 28 May 2026 10:54:31 +0900
Subject: [PATCH] ci: pin GITHUB_TOKEN to read-only for unit tests

The unit test workflow only checks out code and runs protoc +
tests. Adding explicit contents: read permissions limits the
token to the minimum needed.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/unit-test.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
index 1963ed62..05d453de 100644
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -2,6 +2,9 @@ name: "Unit Test"
 
 on: [ push,pull_request ]
 
+permissions:
+  contents: read
+
 jobs:
   go:
     name: Test go generation