From 96ce3808a78b997bca2ae1c7cb60ccde5ac4b553 Mon Sep 17 00:00:00 2001
From: Ricardo Amaral <ricardo@doist.com>
Date: Wed, 8 Apr 2026 13:49:53 +0100
Subject: [PATCH] ci: reduce workflow-level permissions to least privilege

semantic-release uses the GitHub App token for all write operations,
so the workflow's default GITHUB_TOKEN only needs id-token (OIDC
provenance), packages (GitHub Packages publish), and contents read
(for the CI validation workflow to checkout the repository).
---
 .github/workflows/publish-package-release.yml | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/publish-package-release.yml b/.github/workflows/publish-package-release.yml
index 97282167..ea6c0f6a 100644
--- a/.github/workflows/publish-package-release.yml
+++ b/.github/workflows/publish-package-release.yml
@@ -13,12 +13,8 @@ permissions:
     id-token: write
     # Enable the use of GitHub Packages registry
     packages: write
-    # Enable `semantic-release` to publish a GitHub release and push commits
-    contents: write
-    # Enable `semantic-release` to post comments on issues
-    issues: write
-    # Enable `semantic-release` to post comments on pull requests
-    pull-requests: write
+    # Enable the CI validation workflow to checkout the repository
+    contents: read
 
 # The release workflow involves many crucial steps that once triggered shouldn't be cancelled until
 # finished, otherwise we might end up in an inconsistent state (e.g., published to GitHub Packages