From d0822ad9bf77d35dee590e455d9ef5b96ccb243c Mon Sep 17 00:00:00 2001
From: Seth Vargo <seth@sethvargo.com>
Date: Fri, 25 Apr 2025 08:42:57 -0400
Subject: [PATCH] Declare workflow permissions (#482)

---
 .github/workflows/draft-release.yml | 4 ++++
 .github/workflows/release.yml       | 4 ++++
 .github/workflows/test.yml          | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml
index 894426a..494db1f 100644
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@@ -13,6 +13,10 @@ on:
           - 'minor'
           - 'patch'
 
+permissions:
+  contents: 'read'
+  pull-requests: 'write'
+
 jobs:
   draft-release:
     uses: 'google-github-actions/.github/.github/workflows/draft-release.yml@v3' # ratchet:exclude
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0457b00..736378f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,10 @@ on:
       - 'main'
       - 'release/**/*'
 
+permissions:
+  contents: 'read'
+  packages: 'write'
+
 jobs:
   release:
     uses: 'google-github-actions/.github/.github/workflows/release.yml@v3' # ratchet:exclude
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 1be6bc6..b7686e4 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -33,6 +33,10 @@ defaults:
   run:
     shell: 'bash'
 
+permissions:
+  contents: 'read'
+  statuses: 'write'
+
 jobs:
   unit:
     name: 'unit'