chore(ci): tighten workflow token permissions

scop · scop · commit bffffede647f · 2025-07-21T11:50:52.000Z
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -9,10 +9,15 @@ on:
     types:
     - released
 
+permissions:
+  contents: read
+
 jobs:
   generate-and-deploy:
     name: Generate and deploy
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout head
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/examples.yml b/.github/workflows/examples.yml
@@ -13,6 +13,9 @@ concurrency:
   group: ${{ github.repository }}-${{ github.workflow }}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -6,6 +6,8 @@ on:
       - 'go.mod'
       - 'go.sum'
       - '.github/workflows/lint.yml'
+permissions:
+  contents: read
 jobs:
   golangci-lint:
     name: golangci-lint
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -3,6 +3,8 @@ on:
   push:
     tags:
       - 'v*.*.*'
+permissions:
+  contents: read
 jobs:
   publish_release:
     name: Release
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -5,6 +5,8 @@ on:
       - '**.go'
       - 'go.mod'
       - 'go.sum'
+permissions:
+  contents: read
 jobs:
   unit-tests:
     name: Run unit-tests
