From f17d0a9a981629ee5c45464b198045c874bafd44 Mon Sep 17 00:00:00 2001
From: silverwind <me@silverwind.io>
Date: Fri, 12 Dec 2025 17:59:32 +0100
Subject: [PATCH] Add permissions to reused `files-changed` workflow

`files-changed` is a reusable workflow imported via `used` but
apparently CodeQL still complains about this so add permissions to the
importing workflow as well.
---
 .github/workflows/pull-compliance.yml    | 2 ++
 .github/workflows/pull-db-tests.yml      | 2 ++
 .github/workflows/pull-docker-dryrun.yml | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/.github/workflows/pull-compliance.yml b/.github/workflows/pull-compliance.yml
index 9e1963d48a6e0..c146b439e0b64 100644
--- a/.github/workflows/pull-compliance.yml
+++ b/.github/workflows/pull-compliance.yml
@@ -10,6 +10,8 @@ concurrency:
 jobs:
   files-changed:
     uses: ./.github/workflows/files-changed.yml
+    permissions:
+      contents: read
 
   lint-backend:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index 16c9e004a51f7..66f48d5af86cd 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -10,6 +10,8 @@ concurrency:
 jobs:
   files-changed:
     uses: ./.github/workflows/files-changed.yml
+    permissions:
+      contents: read
 
   test-pgsql:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
diff --git a/.github/workflows/pull-docker-dryrun.yml b/.github/workflows/pull-docker-dryrun.yml
index e1b86e5e38e82..1cd1ba31ddd25 100644
--- a/.github/workflows/pull-docker-dryrun.yml
+++ b/.github/workflows/pull-docker-dryrun.yml
@@ -10,6 +10,8 @@ concurrency:
 jobs:
   files-changed:
     uses: ./.github/workflows/files-changed.yml
+    permissions:
+      contents: read
 
   container:
     if: needs.files-changed.outputs.docker == 'true' || needs.files-changed.outputs.actions == 'true'