From 5eb10fc9efd636b6e28fd295a7a0a009fea6f7dc Mon Sep 17 00:00:00 2001
From: Artem Muterko <artem@sopho.tech>
Date: Mon, 30 Mar 2026 17:34:36 +0200
Subject: [PATCH] ci: add explicit permissions to GitHub Actions workflows

Signed-off-by: Artem Muterko <artem@sopho.tech>
---
 .github/workflows/main.yml         | 3 +++
 .github/workflows/pypi-release.yml | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 772b7930..1752eecb 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -2,6 +2,9 @@ name: CI
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
index 4a414248..54f818a8 100644
--- a/.github/workflows/pypi-release.yml
+++ b/.github/workflows/pypi-release.yml
@@ -7,8 +7,12 @@ on:
       - main
       - 'tag/v**'
 
+permissions: {}
+
 jobs:
   build_dist:
+    permissions:
+      contents: read
     name: Build source distribution
     runs-on: ubuntu-24.04
     steps:
@@ -34,6 +38,8 @@ jobs:
         run: uvx twine check dist/*
   publish:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     if: github.event_name == 'push'
     needs: [ build_dist ]
     steps: