From fcf929165312ab541703fe0036964c718858f358 Mon Sep 17 00:00:00 2001
From: vmfunc <celeste@linux.com>
Date: Fri, 13 Feb 2026 01:40:22 +0100
Subject: [PATCH] ci: add explicit permissions to all workflows - fixes
 scorecard token-permissions

Signed-off-by: vmfunc <celeste@linux.com>
---
 .github/workflows/automatic-rebase.yml  | 5 +++++
 .github/workflows/check-large-files.yml | 3 +++
 .github/workflows/code_quality.yml      | 2 ++
 .github/workflows/go.yml                | 3 +++
 .github/workflows/govulncheck.yml       | 3 +++
 .github/workflows/header-check.yml      | 3 +++
 .github/workflows/language.yml          | 6 ++++++
 .github/workflows/markdown-lint.yml     | 4 ++++
 .github/workflows/misspell.yml          | 4 ++++
 .github/workflows/reportcard.yml        | 3 +++
 .github/workflows/runtest.yml           | 3 +++
 .github/workflows/shellcheck.yml        | 4 ++++
 .github/workflows/yaml-lint.yml         | 4 ++++
 13 files changed, 47 insertions(+)

diff --git a/.github/workflows/automatic-rebase.yml b/.github/workflows/automatic-rebase.yml
index 28efd9a..88ddc13 100644
--- a/.github/workflows/automatic-rebase.yml
+++ b/.github/workflows/automatic-rebase.yml
@@ -2,6 +2,11 @@ name: automatic rebase
 on:
   issue_comment:
     types: [created]
+
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   rebase:
     name: Rebase
diff --git a/.github/workflows/check-large-files.yml b/.github/workflows/check-large-files.yml
index 87692db..9b576f7 100644
--- a/.github/workflows/check-large-files.yml
+++ b/.github/workflows/check-large-files.yml
@@ -5,6 +5,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/code_quality.yml b/.github/workflows/code_quality.yml
index 86ac2e3..cc0d137 100644
--- a/.github/workflows/code_quality.yml
+++ b/.github/workflows/code_quality.yml
@@ -6,6 +6,8 @@ on:
     branches:
       - main
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 0ccc097..fb90adc 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: ["main"]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index 28502c5..fe1174a 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "0 6 * * 1" # monday 06:00 UTC
 
+permissions:
+  contents: read
+
 jobs:
   govulncheck:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/header-check.yml b/.github/workflows/header-check.yml
index fbcaabb..81a9d7b 100644
--- a/.github/workflows/header-check.yml
+++ b/.github/workflows/header-check.yml
@@ -8,6 +8,9 @@ on:
     paths:
       - '**.go'
 
+permissions:
+  contents: read
+
 jobs:
   check-headers:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/language.yml b/.github/workflows/language.yml
index 0dce62d..19f5448 100644
--- a/.github/workflows/language.yml
+++ b/.github/workflows/language.yml
@@ -12,6 +12,12 @@ on:
     types:
       - created
       - edited
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 jobs:
   echo_issue_comment:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/markdown-lint.yml b/.github/workflows/markdown-lint.yml
index 67f6362..124c0d2 100644
--- a/.github/workflows/markdown-lint.yml
+++ b/.github/workflows/markdown-lint.yml
@@ -5,6 +5,10 @@ on:
     paths:
       - "**/*.md"
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   markdownlint:
     name: runner / markdownlint
diff --git a/.github/workflows/misspell.yml b/.github/workflows/misspell.yml
index fec499b..7409c8a 100644
--- a/.github/workflows/misspell.yml
+++ b/.github/workflows/misspell.yml
@@ -5,6 +5,10 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/reportcard.yml b/.github/workflows/reportcard.yml
index adc0acd..7fe407b 100644
--- a/.github/workflows/reportcard.yml
+++ b/.github/workflows/reportcard.yml
@@ -7,6 +7,9 @@ on:
     branches: [main]
   workflow_call:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/runtest.yml b/.github/workflows/runtest.yml
index 425431b..d2e2acd 100644
--- a/.github/workflows/runtest.yml
+++ b/.github/workflows/runtest.yml
@@ -7,6 +7,9 @@ on:
     branches: [main]
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
index bbc9e1a..fb05eaa 100644
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -5,6 +5,10 @@ on:
     paths:
       - "**/*.sh"
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   shellcheck:
     name: runner / shellcheck
diff --git a/.github/workflows/yaml-lint.yml b/.github/workflows/yaml-lint.yml
index 154ec45..ce0d1d1 100644
--- a/.github/workflows/yaml-lint.yml
+++ b/.github/workflows/yaml-lint.yml
@@ -6,6 +6,10 @@ on:
       - "**/*.yml"
       - "**/*.yaml"
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   yamllint:
     name: runner / yamllint