From 8451a71af7d1e6cd88debe307ea82e0ca782b314 Mon Sep 17 00:00:00 2001
From: "mr. m" <91018726+mauro-balades@users.noreply.github.com>
Date: Wed, 14 May 2025 10:31:08 +0200
Subject: [PATCH] Potential fix for code scanning alert no. 6: Workflow does
 not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: mr. m  <91018726+mauro-balades@users.noreply.github.com>
---
 .github/workflows/build.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0ba082d0c..a8ec6a474 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,5 +1,8 @@
 name: Zen Release builds
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
     inputs:
@@ -77,6 +80,9 @@ jobs:
           echo "bid=${bdat}" >> $GITHUB_OUTPUT
 
   start-self-host:
+    permissions:
+      contents: read
+      secrets: read
     runs-on: ubuntu-latest
     needs: debug-inputs
     steps:
@@ -102,6 +108,8 @@ jobs:
           rm start.sh || true
 
   check-build-is-correct:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     needs: [debug-inputs]
     steps: