From 7afe8ff8631b3f19e5fff3457847f75327ededbc Mon Sep 17 00:00:00 2001
From: Fernandez Ludovic <ldez@users.noreply.github.com>
Date: Fri, 28 Nov 2025 17:28:27 +0100
Subject: [PATCH] chore: update workflows

---
 .github/workflows/codeql.yaml |  3 +++
 .github/workflows/test.yml    | 20 ++++++++++++++------
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index c90f793..374e767 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -11,6 +11,9 @@ on:
   schedule:
     - cron: '0 17 * * 5'
 
+permissions:
+  contents: read
+
 jobs:
   codeQL:
     # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index d12b36e..ce70b4c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,5 +1,6 @@
 name: "build-and-test"
-on: # rebuild any PRs and main branch changes
+
+on:
   pull_request:
     branches:
       - main
@@ -7,8 +8,12 @@ on: # rebuild any PRs and main branch changes
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
-  build: # make sure build/ci work properly
+  # make sure build/ci work properly
+  build:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-node@v6
@@ -19,10 +24,11 @@ jobs:
           npm install
           npm run all
 
-      # Fail the build if there is dirty change
+      # Fail the build if there are changes.
       - run: git diff --exit-code -- dist
 
-  test: # make sure the action works on a clean machine without building
+  # make sure the action works on a clean machine without building
+  test:
     needs: [ build ]
     strategy:
       matrix:
@@ -54,7 +60,8 @@ jobs:
           args: --timeout=5m --issues-exit-code=0 ./fixtures/simple/...
           only-new-issues: true
 
-  test-go-install: # make sure the action works on a clean machine without building (go-install mode)
+  # make sure the action works on a clean machine without building (go-install mode)
+  test-go-install:
     needs: [ build ]
     strategy:
       matrix:
@@ -115,7 +122,8 @@ jobs:
           working-directory: ${{ matrix.wd }}
           args: --timeout=5m --issues-exit-code=0 ./...
 
-  test-plugins: # make sure the action works on a clean machine with plugins
+  # make sure the action works on a clean machine with plugins
+  test-plugins:
     needs: [ build ]
     strategy:
       matrix: