USThing · polyipseity · Jan 25, 2026 · Jan 25, 2026 · Jan 25, 2026
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -1,14 +1,20 @@
 name: Checks
 
 on:
-  - push
-  - pull_request
+  push:
+  pull_request:
+  workflow_dispatch:
+
+# Minimal file-level permissions for checks: read repository contents for linting/tests
+permissions:
+  contents: read
 
 jobs:
   detect-quota:
     # Probe the hosted runner (same flavor as the original try job) so we
     # can decide whether to use a hosted runner or fall back to
     # self-hosted. The job should fail if quota is exhausted.
+    permissions: {}
     runs-on: ubuntu-slim
     steps:
       - name: Quota probe

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -3,12 +3,13 @@ name: Docker CI
 on:
   push:
   pull_request:
+  workflow_dispatch:
 
+# Minimize permissions for Docker CI; only allow read access to repo contents
+# and package write for pushing images to GHCR.
 permissions:
   contents: read
   packages: write
-  attestations: write
-  id-token: write
 
 env:
   REGISTRY: ghcr.io
@@ -19,6 +20,7 @@ jobs:
     # Probe the hosted runner to decide whether to use hosted runners or
     # fall back to self-hosted. Use the same runner flavor as the original
     # try job.
+    permissions: {}
     runs-on: ubuntu-slim
     steps:
       - name: Quota probe

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,7 +4,10 @@ on:
   push:
     branches:
       - main
+  workflow_dispatch:
 
+# Minimize default permissions; grant elevated permissions only to the
+# `release_please` job below.
 permissions:
   contents: write
   issues: write
@@ -19,6 +22,7 @@ jobs:
   detect-quota:
     # Probe the hosted runner flavor used by release steps so we can fall
     # back if necessary.
+    permissions: {}
     runs-on: ubuntu-slim
     steps:
       - name: Quota probe