From 82b7673a87403a3acacd4072b544784588c3a088 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliv=C3=A9r=20Kecskem=C3=A9ty?=
 <kecskemety.oliver@gmail.com>
Date: Fri, 10 Apr 2026 14:24:00 +0200
Subject: [PATCH 1/2] Add explicit permissions to GitHub Actions workflows

---
 .github/workflows/backend.yml                | 5 +++++
 .github/workflows/compress-images.yml        | 4 ++++
 .github/workflows/frontend-admin.yml         | 4 ++++
 .github/workflows/frontend-base-workflow.yml | 3 +++
 .github/workflows/frontend.yml               | 4 ++++
 .github/workflows/schema-validation.yml      | 3 +++
 6 files changed, 23 insertions(+)

diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
index d06349096..94a08b7ef 100644
--- a/.github/workflows/backend.yml
+++ b/.github/workflows/backend.yml
@@ -20,11 +20,16 @@ on:
       - 'backend/**'
       - '.github/workflows/backend.yml'
 
+permissions:
+  contents: read
+
 jobs:
   generate-lockfile:
     name: Generate lockfile
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'pull_request'}}
+    permissions:
+      contents: write
 
     outputs:
       files_changed: ${{ steps.verify-changed-files.outputs.files_changed }}
diff --git a/.github/workflows/compress-images.yml b/.github/workflows/compress-images.yml
index ddae41826..eaed3cf92 100644
--- a/.github/workflows/compress-images.yml
+++ b/.github/workflows/compress-images.yml
@@ -16,6 +16,10 @@ on:
       - '**.webp'
   workflow_dispatch:
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   compress-images:
     name: Compress images
diff --git a/.github/workflows/frontend-admin.yml b/.github/workflows/frontend-admin.yml
index e1bbd3ac2..1e0640490 100644
--- a/.github/workflows/frontend-admin.yml
+++ b/.github/workflows/frontend-admin.yml
@@ -8,6 +8,10 @@ on:
     paths:
       - 'frontend-admin/**'
       - '.github/workflows/frontend-admin.yml'
+
+permissions:
+  contents: read
+
 jobs:
   run-tests:
     name: Run tests
diff --git a/.github/workflows/frontend-base-workflow.yml b/.github/workflows/frontend-base-workflow.yml
index 95cfa6bdd..c047b6367 100644
--- a/.github/workflows/frontend-base-workflow.yml
+++ b/.github/workflows/frontend-base-workflow.yml
@@ -22,6 +22,9 @@ on:
         default: false
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   run-tests:
     name: Run tests
diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml
index f93c6b622..dfe124278 100644
--- a/.github/workflows/frontend.yml
+++ b/.github/workflows/frontend.yml
@@ -8,6 +8,10 @@ on:
     paths:
       - 'frontend/**'
       - '.github/workflows/frontend.yml'
+
+permissions:
+  contents: read
+
 jobs:
   run-tests:
     name: Run tests
diff --git a/.github/workflows/schema-validation.yml b/.github/workflows/schema-validation.yml
index c645f877a..962e19faa 100644
--- a/.github/workflows/schema-validation.yml
+++ b/.github/workflows/schema-validation.yml
@@ -7,6 +7,9 @@ on:
       - 'backend/**'
       - '.github/workflows/schema-validation.yml'
 
+permissions:
+  contents: read
+
 jobs:
   validate-schema:
     name: OpenAPI schema validation

From ec00d7e57fb532cc3209f0eab9df51c72879ef44 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliv=C3=A9r=20Kecskem=C3=A9ty?=
 <kecskemety.oliver@gmail.com>
Date: Fri, 10 Apr 2026 14:51:52 +0200
Subject: [PATCH 2/2] Review fix

---
 .github/workflows/backend.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
index 94a08b7ef..587f62170 100644
--- a/.github/workflows/backend.yml
+++ b/.github/workflows/backend.yml
@@ -28,8 +28,6 @@ jobs:
     name: Generate lockfile
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'pull_request'}}
-    permissions:
-      contents: write
 
     outputs:
       files_changed: ${{ steps.verify-changed-files.outputs.files_changed }}