From ddb81765f3b8d9fb58d34923aa8e3fdb3bf87dee Mon Sep 17 00:00:00 2001
From: lebaudantoine <lebaud.antoine131@gmail.com>
Date: Sat, 21 Feb 2026 19:49:30 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=A7(ci)=20explicitly=20set=20CI=20perm?=
 =?UTF-8?q?issions=20to=20read-only=20as=20a=20precaution?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Clarify intent and avoid any ambiguity regarding granted permissions.
---
 .github/workflows/meet.yml | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/meet.yml b/.github/workflows/meet.yml
index 0d052cbf..b0eac232 100644
--- a/.github/workflows/meet.yml
+++ b/.github/workflows/meet.yml
@@ -7,11 +7,15 @@ on:
   pull_request:
     branches:
       - "*"
+permissions:
+  contents: read
 
 jobs:
   lint-git:
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request' # Makes sense only for pull requests
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -39,6 +43,8 @@ jobs:
     if: |
       contains(github.event.pull_request.labels.*.name, 'noChangeLog') == false &&
       github.event_name == 'pull_request'
+    permissions:
+        contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -49,6 +55,8 @@ jobs:
 
   lint-changelog:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -62,6 +70,8 @@ jobs:
 
   build-mails:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: src/mail
@@ -102,6 +112,8 @@ jobs:
 
   lint-back:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: src/backend
@@ -124,6 +136,8 @@ jobs:
 
   lint-agents:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: src/agents
@@ -144,6 +158,8 @@ jobs:
 
   lint-summary:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: src/summary
@@ -165,7 +181,8 @@ jobs:
   test-back:
     runs-on: ubuntu-latest
     needs: build-mails
-
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: src/backend
@@ -279,6 +296,8 @@ jobs:
 
   lint-front:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -294,6 +313,8 @@ jobs:
 
   lint-sdk:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: src/sdk/library
@@ -312,6 +333,8 @@ jobs:
 
   build-sdk:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: lint-sdk
     defaults:
       run: