From 5295b31d1020af3192096440a9247d47acd90876 Mon Sep 17 00:00:00 2001
From: Michael Smith <owlstronaut@github.com>
Date: Fri, 25 Apr 2025 11:48:15 -0700
Subject: [PATCH] chore: postinstall workflow updates

---
 .github/workflows/audit.yml               | 3 +++
 .github/workflows/ci-release.yml          | 4 ++++
 .github/workflows/ci.yml                  | 3 +++
 .github/workflows/codeql-analysis.yml     | 3 +++
 .github/workflows/pull-request.yml        | 3 +++
 .github/workflows/release-integration.yml | 4 ++++
 .github/workflows/release.yml             | 1 +
 7 files changed, 21 insertions(+)

diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index ffe363d..c4d65de 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -8,6 +8,9 @@ on:
     # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
     - cron: "0 8 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   audit:
     name: Audit Dependencies
diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
index 233eb8c..226b91d 100644
--- a/.github/workflows/ci-release.yml
+++ b/.github/workflows/ci-release.yml
@@ -18,6 +18,10 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+  checks: write
+
 jobs:
   lint-all:
     name: Lint All
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 882b3bf..fdda702 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,6 +12,9 @@ on:
     # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
     - cron: "0 9 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 15c8efe..af848e1 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -13,6 +13,9 @@ on:
     # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
     - cron: "0 10 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index 2528406..475c1aa 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -10,6 +10,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   commitlint:
     name: Lint Commits
diff --git a/.github/workflows/release-integration.yml b/.github/workflows/release-integration.yml
index 0eeb1e0..d83f4e0 100644
--- a/.github/workflows/release-integration.yml
+++ b/.github/workflows/release-integration.yml
@@ -19,6 +19,10 @@ on:
       PUBLISH_TOKEN:
         required: true
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   publish:
     name: Publish
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2f1db1e..444209a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -244,6 +244,7 @@ jobs:
     if: needs.release.outputs.releases
     uses: ./.github/workflows/release-integration.yml
     permissions:
+      contents: read
       id-token: write
     secrets:
       PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}