From 21ef915bf366e9dcb0b907ce9a92aaa29242d548 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 28 Feb 2026 23:00:10 +0000
Subject: [PATCH] Add explicit permissions to deploy and e2e workflows (CodeQL
 fix)

Co-authored-by: blackboxprogramming <118287761+blackboxprogramming@users.noreply.github.com>
---
 .github/workflows/deploy.yml        | 1 +
 .github/workflows/e2e-blackroad.yml | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index d276fd5..c759c0f 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -6,6 +6,7 @@ on:
 
 jobs:
   deploy:
+    permissions: {}
     uses: BlackRoad-OS-Inc/blackroad-deploy/.github/workflows/cloudflare-deploy.yml@main
     with:
       project: blackroad-io
diff --git a/.github/workflows/e2e-blackroad.yml b/.github/workflows/e2e-blackroad.yml
index 64cc8ff..671e18e 100644
--- a/.github/workflows/e2e-blackroad.yml
+++ b/.github/workflows/e2e-blackroad.yml
@@ -10,6 +10,8 @@ on:
 jobs:
   e2e:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       STRIPE_SECRET_KEY: ${{ secrets.STRIPE_SECRET_KEY }}
       CLERK_SECRET_KEY: ${{ secrets.CLERK_SECRET_KEY }}