rstackjs · stormslowly · May 13, 2026 · May 12, 2026 · May 12, 2026
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   benchmark:
     name: Benchmark

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -18,6 +18,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: ${{ github.ref_name != 'main' }}
 
+permissions:
+  contents: read
+
 defaults:
   run:
     shell: bash

diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref_name != 'main' }}
 
+permissions:
+  contents: read
+
 jobs:
   coverage:
     name: Code Coverage

diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml
@@ -34,14 +34,11 @@ on:
         required: false
         default: true
 
-permissions:
-  # To publish packages with provenance
-  id-token: write
-  # Allow commenting on issues for `reusable-build.yml`
-  issues: write
+permissions: {}
 
 jobs:
   build:
+    if: github.repository_owner == 'rstackjs'
     strategy:
       fail-fast: false # Build and test everything so we can look at all the errors
       matrix:
@@ -65,6 +62,8 @@ jobs:
           - target: aarch64-apple-darwin
             runner: "macos-latest"
 
+    permissions:
+      contents: read
     uses: ./.github/workflows/reusable-build.yml
     with:
       target: ${{ matrix.array.target }}
@@ -75,10 +74,12 @@ jobs:
 
   release:
     name: Release
+    if: github.repository_owner == 'rstackjs'
     environment: npm
     permissions:
+      # push release tag via scripts/x.mjs publish --push-tags
       contents: write
-      # To publish packages with provenance
+      # OIDC provenance for npm publish
       id-token: write
     runs-on: ubuntu-latest
     needs: build

diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml
@@ -13,17 +13,19 @@ on:
         required: false
         default: false
 
-permissions:
-  # trust publish needs
-  id-token: write
-  # push tag
-  contents: write
+permissions: {}
 
 jobs:
   release-plz:
     name: Release-plz
+    if: github.repository_owner == 'rstackjs'
     runs-on: ubuntu-latest
     environment: crate
+    permissions:
+      # OIDC trusted publishing to crates.io
+      id-token: write
+      # push release tag
+      contents: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
@@ -35,8 +35,7 @@ env:
   CARGO_INCREMENTAL: 0
 
 permissions:
-  # Allow commenting on issues
-  issues: write
+  contents: read
 
 jobs:
   build: