From 72d7490a21da5e1d8d109320e6ca3fca8286f7f8 Mon Sep 17 00:00:00 2001
From: Adam Chen <encodeous7@gmail.com>
Date: Mon, 18 May 2026 14:35:38 +0000
Subject: [PATCH] ci: ensure read-only permissions on test actions

---
 .github/workflows/go-test.yml | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml
index a436913..813866e 100644
--- a/.github/workflows/go-test.yml
+++ b/.github/workflows/go-test.yml
@@ -12,14 +12,19 @@ on:
       - "docs/**"
       - "README.md"
 
+permissions:
+  contents: read
+
 env:
   GO_VERSION: "1.26.3"
 
 jobs:
   unit_test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
@@ -28,8 +33,10 @@ jobs:
         run: go run gotest.tools/gotestsum@latest -- --race -tags=router_test ./...
   integration:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
@@ -38,8 +45,10 @@ jobs:
         run: go run gotest.tools/gotestsum@latest -- --race -tags=integration ./integration/...
   e2e:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up Go
         uses: actions/setup-go@v4
         with: