From e40e0aaed68b1e048e2bc4ca9e98cd82215d6e74 Mon Sep 17 00:00:00 2001
From: -LAN- <laipz8200@outlook.com>
Date: Sat, 28 Mar 2026 07:10:55 +0800
Subject: [PATCH] harden docker workflow permissions

---
 .github/workflows/build-push.yml   | 3 +++
 .github/workflows/docker-build.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
index 62caf8b398..b06f6162e1 100644
--- a/.github/workflows/build-push.yml
+++ b/.github/workflows/build-push.yml
@@ -12,6 +12,9 @@ on:
     tags:
       - "*"
 
+permissions:
+  contents: read
+
 concurrency:
   group: build-push-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 56f048c0fc..9aa2ba7071 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -8,6 +8,9 @@ on:
       - api/Dockerfile
       - web/Dockerfile
 
+permissions:
+  contents: read
+
 concurrency:
   group: docker-build-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true