From a20fe0180e046a036732068b92a8e22310a0a2f2 Mon Sep 17 00:00:00 2001
From: Michael Hucka <mhucka@google.com>
Date: Thu, 28 Aug 2025 20:00:46 -0700
Subject: [PATCH] Declare default workflow permissions as read-only

Following recommended best practices from Google OSPO, this adds a
declaration for workflows to use read-only permissions by default.
---
 .github/workflows/ci-build-checks.yaml       | 3 +++
 .github/workflows/ci-file-checks.yaml        | 3 +++
 .github/workflows/ci-nightly-build-test.yaml | 3 +++
 .github/workflows/ci-nightly-cirq-test.yaml  | 5 ++++-
 4 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci-build-checks.yaml b/.github/workflows/ci-build-checks.yaml
index 7bea7be03..968d69385 100644
--- a/.github/workflows/ci-build-checks.yaml
+++ b/.github/workflows/ci-build-checks.yaml
@@ -85,6 +85,9 @@ env:
     ^\.github/problem-matchers/.*
     ^benchmarks/.*
 
+# Declare default workflow permissions as read only.
+permissions: read-all
+
 concurrency:
   # Cancel any previously-started but still active runs on the same branch.
   cancel-in-progress: true
diff --git a/.github/workflows/ci-file-checks.yaml b/.github/workflows/ci-file-checks.yaml
index 9caf9657b..16bc15f64 100644
--- a/.github/workflows/ci-file-checks.yaml
+++ b/.github/workflows/ci-file-checks.yaml
@@ -65,6 +65,9 @@ env:
   # GitHub, and you have to use Ubuntu 24 to get it.
   clang_format_ver: '18'
 
+# Declare default workflow permissions as read only.
+permissions: read-all
+
 concurrency:
   # Cancel any previously-started but still active runs on the same branch.
   cancel-in-progress: true
diff --git a/.github/workflows/ci-nightly-build-test.yaml b/.github/workflows/ci-nightly-build-test.yaml
index 569809d98..e6af260af 100644
--- a/.github/workflows/ci-nightly-build-test.yaml
+++ b/.github/workflows/ci-nightly-build-test.yaml
@@ -54,6 +54,9 @@ concurrency:
   cancel-in-progress: true
   group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
 
+# Declare default workflow permissions as read only.
+permissions: read-all
+
 jobs:
   Decision:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/ci-nightly-cirq-test.yaml b/.github/workflows/ci-nightly-cirq-test.yaml
index 2e24eb26f..9e37f6311 100644
--- a/.github/workflows/ci-nightly-cirq-test.yaml
+++ b/.github/workflows/ci-nightly-cirq-test.yaml
@@ -6,7 +6,7 @@
 # For testing, this workflow can be invoked manually from the GitHub page at
 # https://github.com/tensorflow/quantum/actions/workflows/ci-nightly-cirq-test.yaml
 # Clicking the "Run workflow" button there will present a form interface with
-# options for overridding some of the parameters for the run.
+# options for overriding some of the parameters for the run.
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 name: CI nightly Cirq compatibility test
@@ -69,6 +69,9 @@ concurrency:
   cancel-in-progress: true
   group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
 
+# Declare default workflow permissions as read only.
+permissions: read-all
+
 jobs:
   test-compatibility:
     name: Run TFQ tests