From 3ccf0b1c049ec0a40fba4ae4841af24d9fdb0777 Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Sun, 19 Apr 2026 17:26:42 +0100
Subject: [PATCH] ci(security): restrict GITHUB_TOKEN permissions in
 update-plugins workflow (#7557)

Adds an explicit `permissions: contents: read` block to update-plugins.yml.
Cross-repo work (cloning ether/ep_* repos, pushing updates, merging
Dependabot PRs) is authenticated via secrets.PLUGINS_PAT, so the default
GITHUB_TOKEN only needs read access for actions/checkout.

Addresses CodeQL code-scanning alert #115 ("Workflow does not contain
permissions"). Matches the pattern already used by the other workflows
under .github/workflows/.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/update-plugins.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/update-plugins.yml b/.github/workflows/update-plugins.yml
index da3da1838..4b6a282a8 100644
--- a/.github/workflows/update-plugins.yml
+++ b/.github/workflows/update-plugins.yml
@@ -5,6 +5,12 @@ on:
     - cron: '0 6 * * *'  # Daily at 06:00 UTC
   workflow_dispatch:  # Allow manual trigger
 
+# The cross-repo work (cloning ether/ep_* repos, pushing updates, merging
+# Dependabot PRs) is authenticated via secrets.PLUGINS_PAT. The default
+# GITHUB_TOKEN only needs read access to this repo for actions/checkout.
+permissions:
+  contents: read
+
 jobs:
   update-plugins:
     runs-on: ubuntu-latest