From 5f3098477e3536a5e70e449c57eeea88d43e89d3 Mon Sep 17 00:00:00 2001
From: Gagan H R <hrgagan4@gmail.com>
Date: Wed, 11 Mar 2026 21:40:14 +0530
Subject: [PATCH] ci: add top-level permissions to upgrade-fluxcd-pkg workflow

Add explicit top-level `permissions: contents: read` to the
upgrade-fluxcd-pkg workflow to follow the principle of least privilege
and fix the OpenSSF Scorecard Token-Permissions warning.

Signed-off-by: Gagan H R <hrgagan4@gmail.com>
---
 .github/workflows/upgrade-fluxcd-pkg.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/upgrade-fluxcd-pkg.yaml b/.github/workflows/upgrade-fluxcd-pkg.yaml
index 659fd30a..c96199d1 100644
--- a/.github/workflows/upgrade-fluxcd-pkg.yaml
+++ b/.github/workflows/upgrade-fluxcd-pkg.yaml
@@ -3,6 +3,9 @@ name: upgrade-fluxcd-pkg
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   upgrade-fluxcd-pkg:
     uses: fluxcd/gha-workflows/.github/workflows/upgrade-fluxcd-pkg.yaml@v0.9.0