From 9f7cc58d67c1b951b641a72fc70843014f71d6cc Mon Sep 17 00:00:00 2001
From: Ville Vesilehto <ville@vesilehto.fi>
Date: Mon, 25 Aug 2025 23:08:21 +0300
Subject: [PATCH] chore(ci): restrict token permissions (#7470)

Replace read-all with contents:read and add explicit permissions to
follow principle of least privilege.

Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
---
 .github/workflows/cifuzz.yml        | 5 +++++
 .github/workflows/golangci-lint.yml | 5 +++++
 .github/workflows/make.doc.yml      | 3 ++-
 .github/workflows/release.yml       | 3 +++
 4 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index 217bef2ad..c9397fc8a 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -1,8 +1,13 @@
 name: CIFuzz
+
 on:
   pull_request:
     branches:
       - master
+
+permissions:
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 5a2e94569..1ad2763ea 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -1,6 +1,11 @@
 name: golangci-lint
+
 on:
   pull_request:
+
+permissions:
+  contents: read
+
 jobs:
   golangci:
     name: lint
diff --git a/.github/workflows/make.doc.yml b/.github/workflows/make.doc.yml
index ed00e785b..471ca31bd 100644
--- a/.github/workflows/make.doc.yml
+++ b/.github/workflows/make.doc.yml
@@ -4,7 +4,8 @@ on:
   schedule:
     - cron: '22 10 * * 0'
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   fix:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8fa671b57..d1b1b4bad 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ on:
         description: "Commit (e.g., 52f0348)"
         default: "master"
 
+permissions:
+  contents: read
+
 jobs:
   release:
     name: Release