To fix this issue, explicitly add a permissions block at the root of the workflow file. Begin by setting the permissions to the lowest possible value (read-only access for contents), and elevate permissions only in those jobs or steps that genuinely require them (such as jobs using actions that upload or download artifacts, though most such actions only require contents: read). Since the workflow mainly restores/builds code, interacts with docker, and uploads/downloads artifacts, contents: read will likely suffice. Set this block immediately after the name: declaration and before the on: block to ensure it applies globally to all jobs, unless overridden by a job-level permissions block.