From 6c5e68fad0b2e09e54d55ca936e53e7e1372456c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johanna=20S=C3=B6rng=C3=A5rd?=
 <44257381+JSorngard@users.noreply.github.com>
Date: Fri, 3 Apr 2026 18:21:56 +0200
Subject: [PATCH 1/2] Add permissions for contents read access

---
 .github/workflows/rust.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 3558f68a..10885012 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -16,6 +16,8 @@ env:
 jobs:
   format:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - uses: dtolnay/rust-toolchain@stable
@@ -26,6 +28,8 @@ jobs:
 
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - uses: dtolnay/rust-toolchain@stable
@@ -40,6 +44,8 @@ jobs:
 
   clippy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - uses: dtolnay/rust-toolchain@stable
@@ -61,6 +67,8 @@ jobs:
         toolchain: [stable, beta]
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - uses: dtolnay/rust-toolchain@master
@@ -77,6 +85,8 @@ jobs:
       
   doc:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       RUSTFLAGS: -D warnings
       RUSTDOCFLAGS: --cfg docsrs
@@ -90,6 +100,8 @@ jobs:
 
   verify_rust_version:
     needs: format
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
@@ -108,6 +120,8 @@ jobs:
 
   run_examples:
     needs: format
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
@@ -123,6 +137,8 @@ jobs:
 
   coverage:
     needs: format
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -148,6 +164,8 @@ jobs:
   semver-checks:
     needs: format
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
@@ -166,6 +184,8 @@ jobs:
   compile_benchmarks:
     needs: format
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - uses: dtolnay/rust-toolchain@stable
@@ -181,6 +201,8 @@ jobs:
   no_std:
     needs: format
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         target: [thumbv7m-none-eabi, aarch64-unknown-none]
@@ -221,6 +243,8 @@ jobs:
     # https://github.com/jonhoo/fantoccini/blob/fde336472b712bc7ebf5b4e772023a7ba71b2262/Cargo.toml#L47-L49.
     # This action is run on ubuntu with the stable toolchain, as it is not expected to fail
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable

From 253cf0ec7d899b7d0cd7d9d6c726df7e17ccd613 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johanna=20S=C3=B6rng=C3=A5rd?=
 <44257381+JSorngard@users.noreply.github.com>
Date: Fri, 3 Apr 2026 18:26:31 +0200
Subject: [PATCH 2/2] Add changes to log

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ce626b7c..86aade37 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,10 @@
 This file contains the changes to the crate since version 0.1.1.
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+- Add explicit permissions to the CI jobs.
+
 ## [2.0.1] - 2026-03-26
 
 - Use [`kuva`](https://crates.io/crates/kuva) instead of [`plotters`](https://crates.io/crates/plotters/) as the plot backend in the plot example.