From ad8e34483fdf4226de76c9e7768bc2ba9bf154de Mon Sep 17 00:00:00 2001
From: Aaron Dewes <aaron@nirvati.org>
Date: Tue, 26 Aug 2025 12:41:29 +0200
Subject: [PATCH] fix(cla): Harden action (#867)

The CLA action does not need contents: write permission. Limit it to read for security.
---
 .github/workflows/cla.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml
index e8aa3983..0147e36a 100644
--- a/.github/workflows/cla.yaml
+++ b/.github/workflows/cla.yaml
@@ -7,7 +7,7 @@ on:
 
 permissions:
   actions: write
-  contents: write # this can be 'read' if the signatures are in remote repository
+  contents: read
   pull-requests: write
   statuses: write