From 8a9a6cf36ca986cc7a9aa409a20d3b1d7d7448e7 Mon Sep 17 00:00:00 2001
From: Seth Vargo <seth@sethvargo.com>
Date: Fri, 18 Jul 2025 11:35:50 -0400
Subject: [PATCH] Set permissions on workflows

---
 .github/workflows/draft-release.yml | 8 ++++++++
 .github/workflows/lint.yml          | 5 ++++-
 .github/workflows/release.yml       | 9 +++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml
index 50c9eac..67f20cb 100644
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@@ -11,6 +11,14 @@ on:
       ACTIONS_BOT_TOKEN:
         required: true
 
+permissions:
+  contents: 'read'
+  pull-requests: 'write'
+
+defaults:
+  run:
+    shell: 'bash'
+
 jobs:
   draft-release:
     name: 'Draft Release'
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 9362621..0574660 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -19,6 +19,10 @@ permissions:
   contents: 'read'
   statuses: 'write'
 
+defaults:
+  run:
+    shell: 'bash'
+
 jobs:
   init:
     name: 'Lint (Initialize)'
@@ -41,7 +45,6 @@ jobs:
         env:
           REF: '${{ github.event.pull_request.head.sha }}'
           LC_ALL: 'C'
-        shell: 'bash'
         run: |-
           set -euo pipefail
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bf4a8ea..e29bc01 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,15 @@ on:
       ACTIONS_BOT_TOKEN:
         required: true
 
+permissions:
+  attestations: 'write'
+  contents: 'write'
+  packages: 'write'
+
+defaults:
+  run:
+    shell: 'bash'
+
 jobs:
   create-release:
     if: |-