From a52d460f0431d35e8a1c62fef7b0f26ff24f0573 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 01:48:03 -0400
Subject: [PATCH] Scope down GitHub token permissions (#328)

*Issue #, if available:*

*Description of changes:*

Scope down GitHub token permissions for GHA security best practices.

By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.
---
 .github/workflows/ci.yml         | 4 ++++
 .github/workflows/eval-model.yml | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6837ad5..26d81fc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,10 @@ on:
   schedule:
     - cron: "0 8 * * *" # Run at 8 AM UTC
 
+
+permissions:
+  contents: read
+
 jobs:
   type-check:
     strategy:
diff --git a/.github/workflows/eval-model.yml b/.github/workflows/eval-model.yml
index 72b8e90..51f611c 100644
--- a/.github/workflows/eval-model.yml
+++ b/.github/workflows/eval-model.yml
@@ -11,6 +11,10 @@ on:
       - synchronize # When new commits are pushed to the PR
       - labeled     # When a label is added to the PR
 
+
+permissions:
+  contents: read
+
 jobs:
   evaluate-and-print:
     if: contains(github.event.pull_request.labels.*.name, 'run-eval')  # Only run if 'run-eval' label is added