chore: GH workflow permissions (#33)

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

.github/workflows/native-builds.yml

@@ -10,6 +10,10 @@ env:
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
+
+# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions: {}
+
 jobs:
   builder:
     strategy:
@@ -18,8 +22,8 @@ jobs:
         os: ['ubuntu-24.04', 'ubuntu-24.04-arm', 'macos-13', 'macos-15']
     runs-on: ${{ matrix.os }}
     permissions:
-      contents: write
-      packages: write
+      contents: read
+      packages: write  # needed for publishing to GH container registry
     steps:
     - uses: actions/checkout@v4
     - name: setup upx

.github/workflows/release.yml

@@ -5,12 +5,15 @@ on:
     tags:
     - 'v*'
 
+# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions: {}
+
 jobs:
   pkg:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      packages: write
+      packages: write  # needed for publishing to GH package registry
     steps:
     - uses: actions/checkout@v4
     - name: Use Node.js

.github/workflows/test.yml

@@ -6,12 +6,15 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
+
+# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions: {}
+
 jobs:
   pkg:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      packages: write
     steps:
     - uses: actions/checkout@v4
     - name: Use Node.js