From 7db8883a85cc2e1a9b24110c22f3a4effa32ab3c Mon Sep 17 00:00:00 2001
From: Nilok Bose <cosmocoder@gmail.com>
Date: Sun, 15 Mar 2026 20:42:35 +0100
Subject: [PATCH] ci(security): add explicit permissions to all workflow jobs

- Add contents: read to lint, test, and coverage jobs that need
  repository checkout and cache access
- Add empty permissions to lint-report and test-report jobs that
  need no repository access
- Follows least-privilege principle for GitHub Actions workflows
---
 .github/workflows/release.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 35b59d3..e27b61c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -52,6 +52,8 @@ jobs:
     name: Code linting
     runs-on: ubuntu-latest
     needs: [deps]
+    permissions:
+      contents: read
     strategy:
       matrix:
         command:
@@ -78,6 +80,7 @@ jobs:
     name: Code linting Report
     runs-on: ubuntu-latest
     needs: [lint]
+    permissions: {}
     if: ${{ always() }}
     steps:
       - name: Linting fail
@@ -88,6 +91,8 @@ jobs:
     name: Unit Tests
     runs-on: ubuntu-latest
     needs: [deps]
+    permissions:
+      contents: read
     strategy:
       matrix:
         shardIndex: [1, 2, 3]
@@ -121,6 +126,8 @@ jobs:
     name: Merge Coverage Reports
     runs-on: ubuntu-latest
     needs: [test]
+    permissions:
+      contents: read
     steps:
       - name: Checkout repo
         uses: actions/checkout@v6
@@ -150,6 +157,7 @@ jobs:
     name: Unit Tests Report
     runs-on: ubuntu-latest
     needs: [test, coverage]
+    permissions: {}
     if: ${{ always() }}
     steps:
       - name: Unit tests fail