ci: add default read-only permissions

iiroj · iiroj · commit 66d6b38871da · 2025-11-04T15:14:25.000+02:00
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -6,6 +6,9 @@ on:
             - main
             - beta
 
+permissions:
+    contents: read
+
 jobs:
     Install:
         runs-on: ubuntu-latest
@@ -104,6 +107,10 @@ jobs:
     Release:
         # Prevent infinite release loop
         if: ${{ !startsWith(github.event.head_commit.message, 'chore(release)') }}
+        permissions:
+            contents: write
+            issues: write
+            pull_requests: write
         needs:
             - Lint
             - Typecheck
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,6 +8,9 @@ on:
             # Beta release tags, e.g. "v3.0.0-beta.1"
             - 'v[0-9]+.[0-9]+.[0-9]+-beta.[0-9]+'
 
+permissions:
+    contents: read
+
 jobs:
     Install:
         runs-on: ubuntu-latest
