Workflow permissions per Scorecard recommendations

nosborn · nosborn · commit 9ed1a59879c0 · 2025-06-12T14:13:36.000+08:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,13 +8,15 @@ on:
       - v*.*.*
 
 permissions:
-  contents: write
+  contents: read
 
 concurrency:
   group: release
 
 jobs:
   create-release:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Clone the repository
diff --git a/.github/workflows/versioning.yml b/.github/workflows/versioning.yml
@@ -9,14 +9,16 @@ on:
       - edited
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 concurrency:
   group: versioning
 
 jobs:
   actions-tagger:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: Actions-R-Us/actions-tagger@330ddfac760021349fef7ff62b372f2f691c20fb # v2.0.3
