From 16f6ddc3d5bc2e7940a728d6630133b1275a58eb Mon Sep 17 00:00:00 2001
From: Jordan Harband <ljharb@gmail.com>
Date: Wed, 3 Jun 2026 14:09:02 -0700
Subject: [PATCH] [actions] set per-job permissions in the `nvm install`
 workflow

CodeQL (actions/missing-workflow-permissions)
flagged the matrix, test, and finisher jobs of nvm-install-test.yml for not declaring permissions.
Every other test workflow already sets least-privilege permissions per job; add them here to match:
`contents: read` for the matrix and test jobs, `contents: none` for the no-op finisher.
---
 .github/workflows/nvm-install-test.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/nvm-install-test.yml b/.github/workflows/nvm-install-test.yml
index 73cdced0..0db46ddf 100644
--- a/.github/workflows/nvm-install-test.yml
+++ b/.github/workflows/nvm-install-test.yml
@@ -15,6 +15,8 @@ permissions:
 
 jobs:
   matrix:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.matrix.outputs.matrix }}
@@ -43,6 +45,8 @@ jobs:
           fi
 
   test:
+    permissions:
+      contents: read
     needs: [matrix]
     runs-on: ubuntu-latest
     continue-on-error: ${{ matrix.ref == 'v0.40.0' }} # https://github.com/nvm-sh/nvm/issues/3405
@@ -101,6 +105,8 @@ jobs:
           fi
 
   finisher:
+    permissions:
+      contents: none
     runs-on: ubuntu-latest
     needs: [test]
     steps: