Add top-level permissions to workflow files for security best practices

Copilot · rajbos · Copilot · commit 2e5f079c768c · 2025-12-27T19:08:28.000Z
Co-authored-by: rajbos &lt;6085745+rajbos@users.noreply.github.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main, develop ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,6 +12,9 @@ on:
         default: 'true'
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   release:
     permissions: 
diff --git a/.github/workflows/sync-release-notes.yml b/.github/workflows/sync-release-notes.yml
@@ -5,6 +5,9 @@ on:
   release:
     types: [published, edited]  # Automatic trigger when releases are published or edited
 
+permissions:
+  contents: read
+
 jobs:
   sync-release-notes:
     runs-on: ubuntu-latest
