From 75fd3cfd3a9183d8dbbb181d780e8b7d8bc676cb Mon Sep 17 00:00:00 2001
From: Jen Basch <jbasch@apple.com>
Date: Fri, 31 Oct 2025 10:58:11 -0700
Subject: [PATCH] Enforce default permissions at the workflow level

---
 .github/PklProject           | 2 +-
 .github/PklProject.deps.json | 4 ++--
 .github/workflows/build.yml  | 3 +++
 .github/workflows/main.yml   | 2 ++
 .github/workflows/prb.yml    | 2 ++
 5 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/.github/PklProject b/.github/PklProject
index 90d0145e35..acba3bbdb9 100644
--- a/.github/PklProject
+++ b/.github/PklProject
@@ -2,5 +2,5 @@ amends "pkl:Project"
 
 dependencies {
   ["gha"] { uri = "package://pkg.pkl-lang.org/pkl-project-commons/temp.stefma.gha@0.0.0" }
-  ["pkl.impl.ghactions"] { uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@0.2.0" }
+  ["pkl.impl.ghactions"] { uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@0.3.2" }
 }
diff --git a/.github/PklProject.deps.json b/.github/PklProject.deps.json
index 2c5404a623..709b4b8c5c 100644
--- a/.github/PklProject.deps.json
+++ b/.github/PklProject.deps.json
@@ -10,9 +10,9 @@
     },
     "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@0": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@0.2.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@0.3.2",
       "checksums": {
-        "sha256": "2d593b831c63736bf55c1aa8ad3bc8dbbc86c974db963c38ba668fbcecd32a87"
+        "sha256": "3427c2349ba465e64e1d2e9ec1f71c079e7f98a0a5fcfe900df67c98daf7eebb"
       }
     }
   }
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4735a0ac5c..3aeebd40aa 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,8 +6,11 @@ name: Build
   push:
     branches-ignore:
     - main
+    - release/*
     tags-ignore:
     - '*'
+permissions:
+  contents: read
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 8fdd4055a7..34b96f2466 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -14,6 +14,8 @@ name: Build (main)
         description: The source GitHub Action workflow run triggering this build
         required: false
         type: string
+permissions:
+  contents: read
 jobs:
   publish:
     permissions:
diff --git a/.github/workflows/prb.yml b/.github/workflows/prb.yml
index 067424d702..bdd4a8d2f1 100644
--- a/.github/workflows/prb.yml
+++ b/.github/workflows/prb.yml
@@ -4,6 +4,8 @@
 name: Pull Request
 'on':
   pull_request: {}
+permissions:
+  contents: read
 jobs:
   build-and-test:
     runs-on: ubuntu-latest