From 1dc6cf76d095de66a7162c1c10cc754b46388d85 Mon Sep 17 00:00:00 2001
From: Kent Gruber <kent.gruber@temporal.io>
Date: Wed, 29 Oct 2025 13:35:10 -0400
Subject: [PATCH] Set explicit permissions for GitHub Actions workflows

This change was made by an automated process to ensure all GitHub Actions workflows have explicitly defined permissions as per best practices.
---
 .github/workflows/ci.yaml             | 4 ++++
 .github/workflows/goreleaser.yml      | 3 +++
 .github/workflows/trigger-docs.yml    | 3 +++
 .github/workflows/trigger-publish.yml | 3 +++
 4 files changed, 13 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index bf2750297..458fa39a9 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -5,6 +5,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  actions: write
+
 jobs:
   build-test:
     strategy:
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
index 3ef1d0b13..1ec2ae7e0 100644
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -6,6 +6,9 @@ on:
     types:
       - published
 
+permissions:
+  contents: write
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/trigger-docs.yml b/.github/workflows/trigger-docs.yml
index 8b62778bf..346482656 100644
--- a/.github/workflows/trigger-docs.yml
+++ b/.github/workflows/trigger-docs.yml
@@ -3,6 +3,9 @@ on:
   workflow_dispatch:
   release:
     types: [published]
+
+permissions:
+  contents: read
 jobs:
   update:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/trigger-publish.yml b/.github/workflows/trigger-publish.yml
index 04eee3192..e9fcdff38 100644
--- a/.github/workflows/trigger-publish.yml
+++ b/.github/workflows/trigger-publish.yml
@@ -5,6 +5,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   trigger:
     if: ${{ ! contains(github.ref, '-rc.') }}