From f0ce75676e368cb64f9f89b2db5d193e10f85bde Mon Sep 17 00:00:00 2001
From: Nicklas Lundin <nicklasl@spotify.com>
Date: Mon, 18 May 2026 14:24:20 +0200
Subject: [PATCH] ci: declare minimum permissions on workflow files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yaml             | 3 +++
 .github/workflows/lint-pr.yaml        | 4 ++++
 .github/workflows/release-please.yaml | 4 ++++
 3 files changed, 11 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 356649ba..46fed8bd 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -8,6 +8,9 @@ on:
     branches:
       - '*'
 
+permissions:
+  contents: read
+
 jobs:
   Tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint-pr.yaml b/.github/workflows/lint-pr.yaml
index 2a3907e7..73782e92 100644
--- a/.github/workflows/lint-pr.yaml
+++ b/.github/workflows/lint-pr.yaml
@@ -7,6 +7,10 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   main:
     name: Validate PR title
diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
index 792e6de8..c6902f06 100644
--- a/.github/workflows/release-please.yaml
+++ b/.github/workflows/release-please.yaml
@@ -3,6 +3,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: write
+  pull-requests: write
+
 name: Run Release Please
 jobs:
   release-please: