From 48132891c3a8058ab73ac7eb80843ae89eb32e80 Mon Sep 17 00:00:00 2001
From: Falk Scheerschmidt <falk@staffbase.com>
Date: Tue, 7 Apr 2026 14:23:56 +0200
Subject: [PATCH] fix: add explicit permissions to workflow files

Add minimal permissions blocks to all three workflow files to resolve
code scanning alerts for missing-workflow-permissions (alerts #3, #12, #14).

This follows the principle of least privilege by explicitly declaring
only the permissions each workflow needs rather than inheriting the
default (potentially overly broad) token permissions.

- release.yml: contents: write (create/update draft releases)
- auto-merge.yml: contents: read (App token handles merge operations)
- cla.yml: contents: write, pull-requests: write, actions: read

Co-Authored-By: OpenCode <noreply@opencode.ai>
---
 .github/workflows/auto-merge.yml | 3 +++
 .github/workflows/cla.yml        | 5 +++++
 .github/workflows/release.yml    | 3 +++
 3 files changed, 11 insertions(+)

diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
index 9dd2842..2830e82 100644
--- a/.github/workflows/auto-merge.yml
+++ b/.github/workflows/auto-merge.yml
@@ -3,6 +3,9 @@ name: Dependabot
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   dependabot:
     name: Auto Merge
diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index 1a44162..44d8b3d 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -6,6 +6,11 @@ on:
   pull_request:
     types: [opened, closed, synchronize]
 
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+
 jobs:
   CLAssistant:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index fcd44c4..3ec78ba 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: write
+
 jobs:
   update_release_draft:
     name: Update Release