Add empty permissions block at workflow level

Caps GITHUB_TOKEN's blast radius. None of these workflows need any GitHub API write scope — they only push to Docker Hub — so the safest default is permissions: {}, matching the posture used by AsamK/signal-cli. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 13:01:30 +00:00 · 2026-05-09 10:00:28 -07:00 · 2026-05-09 10:00:28 -07:00 · 69457e8f81
commit 69457e8f81
parent 419b18331d
3 changed files with 8 additions and 2 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -8,6 +8,8 @@ on:
    branches:
      - '**' #every branch

+permissions: {}
+
 jobs:
  setup:
    runs-on: ubuntu-24.04
--- a/.github/workflows/release-dev-version.yml
+++ b/.github/workflows/release-dev-version.yml
@ -4,9 +4,11 @@ on:
  workflow_dispatch:
    inputs:
      version:
-        description: 'Version'     
+        description: 'Version'
        required: true

+permissions: {}
+

 jobs:
  setup:
--- a/.github/workflows/release-productive-version.yml
+++ b/.github/workflows/release-productive-version.yml
@ -4,9 +4,11 @@ on:
  workflow_dispatch:
    inputs:
      version:
-        description: 'Version'     
+        description: 'Version'
        required: true

+permissions: {}
+

 jobs:
  setup: