From af669d2a7eccd7dfd6f6ff1d9f90524e7e0a316f Mon Sep 17 00:00:00 2001
From: Jonas Bardino <bardino@science.ku.dk>
Date: Mon, 16 Mar 2026 11:53:42 +0100
Subject: [PATCH 1/2] Restrict spellcheck action to explicit read-only access
 to repo as recommended by code scanner. NB: this is already the repo default
 setting.

---
 .github/workflows/spellcheck.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml
index 31e50285..69d46959 100644
--- a/.github/workflows/spellcheck.yml
+++ b/.github/workflows/spellcheck.yml
@@ -1,4 +1,7 @@
 name: Spell Checking
+# No need for more than read permission
+permissions:
+  contents: read
 on:
   # Triggers the workflow on push or pull request events but only for the master branch
   pull_request:

From c0de0a8e5841bfe540f0ae422285a94754c793f5 Mon Sep 17 00:00:00 2001
From: Jonas Bardino <bardino@science.ku.dk>
Date: Mon, 16 Mar 2026 11:58:59 +0100
Subject: [PATCH 2/2] Restrict CI action to explicit read-only access to repo
 as recommended by code scanner. NB: this is already the repo default setting.

---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b28260ad..e00e54a9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,4 +1,7 @@
 name: Continuous Integration
+# No need for more than read permission
+permissions:
+  contents: read
 on:
   # Triggers the workflow on push or pull request events but only for the master branch
   pull_request: