From 7e1d1b73e8982ad5a653dfe61392bb6973d4900e Mon Sep 17 00:00:00 2001
From: codepuncher <lee.hanbury@gmail.com>
Date: Mon, 18 May 2026 19:31:47 +0100
Subject: [PATCH 1/2] chore(ci): chain clang-tidy after build

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 53bc096..6aff118 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -29,7 +29,7 @@ jobs:
           check-path: src
 
   clang-tidy:
-    needs: clang-format
+    needs: build
     runs-on: windows-latest
     env:
       FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

From 2f8f1fa553526e8b2985c4a4a4bc41887a4096ad Mon Sep 17 00:00:00 2001
From: codepuncher <lee.hanbury@gmail.com>
Date: Mon, 18 May 2026 19:50:04 +0100
Subject: [PATCH 2/2] fix(ci): restrict GITHUB_TOKEN permissions to none

---
 .github/workflows/ci.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6aff118..7a2b631 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,6 +17,8 @@ concurrency:
   group: pr-checks-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   clang-format:
     runs-on: ubuntu-latest