From 09d8be41e3e6850e51b14a90170884fee9a46d11 Mon Sep 17 00:00:00 2001
From: Ismo Vuorinen <ismo@ivuorinen.net>
Date: Wed, 19 Nov 2025 00:29:36 +0200
Subject: [PATCH] security: add explicit permissions to all workflow jobs

- Add least-privilege permissions to all GitHub Actions jobs
- Fixes 8 CodeQL security findings (actions/missing-workflow-permissions)
- Build jobs: contents:read, actions:write
- Release job: contents:write, actions:read
- Test job: contents:read, checks:write, actions:write
- Status jobs: no permissions needed
- Add wasm-tools-net8 workload installation for test workflow

Follows principle of least privilege and GitHub Actions security best practices.
---
 .github/workflows/test.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f834829..985c89f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -24,6 +24,9 @@ jobs:
       with:
         dotnet-version: '8.0.x'
 
+    - name: Install WebAssembly Tools workload
+      run: dotnet workload install wasm-tools-net8
+
     - name: Restore dependencies
       run: dotnet restore tests/HihaArvio.Tests/HihaArvio.Tests.csproj /p:TargetFrameworks=net8.0