From 618a6aa98f60186c0d925d056eb65a26634c433d Mon Sep 17 00:00:00 2001
From: Ramon Roche <mrpollo@gmail.com>
Date: Mon, 9 Feb 2026 14:15:50 -0800
Subject: [PATCH] CI: add explicit permissions block to clang-tidy workflow

Set minimal permissions (contents: read) as flagged by CodeQL.

Signed-off-by: Ramon Roche <mrpollo@gmail.com>
---
 .github/workflows/clang-tidy.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/clang-tidy.yml b/.github/workflows/clang-tidy.yml
index 8eb8cc7a35..f3b917cbd0 100644
--- a/.github/workflows/clang-tidy.yml
+++ b/.github/workflows/clang-tidy.yml
@@ -12,6 +12,9 @@ on:
     paths-ignore:
       - 'docs/**'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: [runs-on, runner=16cpu-linux-x64, "run-id=${{ github.run_id }}", "extras=s3-cache"]