From 7e2af02b1fd083c5c1a4b32526f7454ecd2e6fa1 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 15:32:06 -0400
Subject: [PATCH 1/5] ci: scope down permissions for release.yml

---
 .github/workflows/release.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c8f1f9b83..39c00d060 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,10 @@ on:
   push:
     branches:
       - "release/v*"
+permissions:
+  contents: write
+  pull-requests: read
+
 jobs:
   release:
     name: Create Release

From a055fba2e50254ec78061707efc763f26d361046 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 15:32:08 -0400
Subject: [PATCH 2/5] ci: scope down permissions for publish.yml

---
 .github/workflows/publish.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 98f0c4f37..662a6518c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,6 +4,9 @@ on:
 
 name: Merge Release Branch
 
+permissions:
+  contents: write
+
 jobs:
   publish:
     name: Publish

From 01303f81cd107099e059a664bf35e5bd6e64bf89 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 15:32:09 -0400
Subject: [PATCH 3/5] ci: scope down permissions for lint-prettier.yml

---
 .github/workflows/lint-prettier.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/lint-prettier.yml b/.github/workflows/lint-prettier.yml
index 09f27c072..915c9c40b 100644
--- a/.github/workflows/lint-prettier.yml
+++ b/.github/workflows/lint-prettier.yml
@@ -7,6 +7,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   typecheck:
     name: Typecheck

From 7f96c88b321a9ad428e84754bc41711acfa4cf91 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 15:32:11 -0400
Subject: [PATCH 4/5] ci: scope down permissions for docs.yml

---
 .github/workflows/docs.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 39342c01e..68efa41b1 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -11,6 +11,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write
+
 jobs:
   test:
     runs-on: ubuntu-latest

From 30421408f4d18df50c758c3c725a4a7fd598b1d2 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 15:32:13 -0400
Subject: [PATCH 5/5] ci: scope down permissions for build.yml

---
 .github/workflows/build.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0279816d0..a03c967ac 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -8,6 +8,9 @@ on:
       - main
 env: 
   NODE_OPTIONS: "--max-old-space-size=28000"
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test