Set explicit token permissions on all workflows (#531)

Copilot · jakecoffman · web-flow · commit 388591ed6ee0 · 2025-12-08T17:51:51.000Z
* Initial plan

* Set explicit token permissions on all workflows with least privilege

Co-authored-by: jakecoffman &lt;886768+jakecoffman@users.noreply.github.com&gt;

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: jakecoffman &lt;886768+jakecoffman@users.noreply.github.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,15 +4,16 @@ on:
   release:
     types: [published]
 
+permissions:
+  attestations: write
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   releases-matrix:
     name: Release Go Binary
     runs-on: ubuntu-latest
-    permissions:
-        attestations: write
-        contents: write
-        id-token: write
-        packages: write
     strategy:
       matrix:
         goos: [linux, windows, darwin]
diff --git a/.github/workflows/smoke.yml b/.github/workflows/smoke.yml
@@ -5,6 +5,9 @@ on:
   workflow_dispatch:
   pull_request:
 
+permissions:
+  contents: read
+
 env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
