From 2cbd0b33509e7bdcc9c00a13b706a3f15765f8c4 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 13 Apr 2026 08:56:13 +0000
Subject: [PATCH] fix: add least-privilege token permissions to GitHub
 workflows (OSSF)

Agent-Logs-Url: https://github.com/mikefarah/yq/sessions/1b5db5e2-af78-4289-a6e0-2e972fc68ef1

Co-authored-by: mikefarah <1151925+mikefarah@users.noreply.github.com>
---
 .github/workflows/codeql.yml         | 2 ++
 .github/workflows/docker-release.yml | 5 +++++
 .github/workflows/release.yml        | 2 ++
 .github/workflows/snap-release.yml   | 4 ++++
 4 files changed, 13 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 15f0db98..99fbdc20 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -20,6 +20,8 @@ on:
   schedule:
     - cron: '24 3 * * 1'
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
index 67ebc797..871fc355 100644
--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@@ -7,12 +7,17 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   publishDocker:
     environment: dockerhub
     env:
       IMAGE_NAME: mikefarah/yq
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6e28af66..a8924ef7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,8 @@ on:
       - 'v4.*'
       - 'draft-*'
 
+permissions: {}
+
 jobs:
   publishGitRelease:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/snap-release.yml b/.github/workflows/snap-release.yml
index 6b8d1969..65513eaf 100644
--- a/.github/workflows/snap-release.yml
+++ b/.github/workflows/snap-release.yml
@@ -7,10 +7,14 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
     buildSnap:
       environment: snap
       runs-on: ubuntu-latest
+      permissions:
+        contents: read
       steps:
         - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         - uses: snapcore/action-build@3bdaa03e1ba6bf59a65f84a751d943d549a54e79 # v1.3.0