From 4bfdf538079a60f21cb4118f20409dcf3e13bb6d Mon Sep 17 00:00:00 2001
From: Anshgrover23 <ag5989670@gmail.com>
Date: Mon, 19 Jan 2026 13:30:00 +0530
Subject: [PATCH] fix: add permissions to release workflow build job

Add explicit permissions block with contents: read to the build job
to follow the principle of least privilege and resolve CodeQL security
warning about missing workflow permissions.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index be141e0d6..8cacaa4c3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,20 +8,22 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
-      
+
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: '3.11'
-      
+
       - name: Install build tools
         run: pip install build
-      
+
       - name: Build package
         run: python -m build
-      
+
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:
@@ -40,6 +42,6 @@ jobs:
         with:
           name: dist
           path: dist/
-      
+
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1