From 51c313373cfc2fa5fea1c27e4200ff9db1761dc4 Mon Sep 17 00:00:00 2001
From: Snider <snider@host.uk.com>
Date: Wed, 4 Feb 2026 13:19:11 +0000
Subject: [PATCH] ci(workflows): add explicit permissions to all workflows

- agent-verify: add issues: write (was missing, writes comments/labels)
- ci: add contents: read (explicit least-privilege)
- coverage: add contents: read (explicit least-privilege)

All workflows now declare permissions explicitly. Repo default is
read-only, so workflows without a block silently lacked write access.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/workflows/agent-verify.yml | 3 +++
 .github/workflows/ci.yml           | 3 +++
 .github/workflows/coverage.yml     | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/agent-verify.yml b/.github/workflows/agent-verify.yml
index b1b3a976..9ea73659 100644
--- a/.github/workflows/agent-verify.yml
+++ b/.github/workflows/agent-verify.yml
@@ -5,6 +5,9 @@ on:
   issues:
     types: [labeled]
 
+permissions:
+  issues: write
+
 jobs:
   # When work is claimed, track the implementer
   track-implementer:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 147193cf..0de17332 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
     branches: [dev, main]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   CORE_VERSION: dev
 
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index b2bf4aec..a2cdeaa1 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -7,6 +7,9 @@ on:
     branches: [dev, main]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   CORE_VERSION: dev