From afbfb3d02550b57c249f0edcd271d35b8a1334f8 Mon Sep 17 00:00:00 2001
From: Stephen Rosen <sirosen@globus.org>
Date: Tue, 16 Jun 2026 15:25:52 -0500
Subject: [PATCH] Add 'permissions' blocks to github workflows

Where missing, `permissions` are now declared.

Our publishing workflows already have permissions at the job level, and
therefore do not need workflow-level permissions to be set.
---
 .github/workflows/has_changelog.yaml | 3 +++
 .github/workflows/test.yaml          | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/has_changelog.yaml b/.github/workflows/has_changelog.yaml
index 3021a8cf8..99263bed6 100644
--- a/.github/workflows/has_changelog.yaml
+++ b/.github/workflows/has_changelog.yaml
@@ -9,6 +9,9 @@ on:
       - reopened
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   check_has_news_in_changelog_dir:
     if: |
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 591ebbf08..5f6712be5 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -9,6 +9,9 @@ on:
   schedule:
     - cron: '0 4 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: "${{ matrix.name }}"