From a3c4da0aedd392f3a095f649d9bae44468e6ceb0 Mon Sep 17 00:00:00 2001
From: erezrokah <erezrokah@users.noreply.github.com>
Date: Mon, 29 Sep 2025 16:22:10 +0100
Subject: [PATCH] chore: Add permissions to all workflows

---
 .github/workflows/lint.yml       | 3 +++
 .github/workflows/pr_title.yml   | 5 ++++-
 .github/workflows/publish.yml    | 3 +++
 .github/workflows/release_pr.yml | 2 ++
 .github/workflows/unittests.yml  | 2 ++
 5 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 0ddedfa..ccfa990 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr_title.yml b/.github/workflows/pr_title.yml
index c44b736..d234e31 100644
--- a/.github/workflows/pr_title.yml
+++ b/.github/workflows/pr_title.yml
@@ -7,6 +7,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  pull-requests: read
+
 jobs:
   main:
     name: Validate PR title
@@ -44,7 +47,7 @@ jobs:
           # special "[WIP]" prefix to indicate this state. This will avoid the
           # validation of the PR title and the pull request checks remain pending.
           # Note that a second check will be reported if this is enabled.
-          wip: true
+          wip: false
           # When using "Squash and merge" on a PR with only one commit, GitHub
           # will suggest using that commit message instead of the PR title for the
           # merge commit, and it's easy to commit this by mistake. Enable this option
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index ac0b8b8..3bc8748 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,6 +4,9 @@ on:
     tags:
       - "v*.*.*"
 
+permissions:
+  contents: read
+
 jobs:
   pypi-publish:
     name: upload release to PyPI
diff --git a/.github/workflows/release_pr.yml b/.github/workflows/release_pr.yml
index ddb8a6b..513795d 100644
--- a/.github/workflows/release_pr.yml
+++ b/.github/workflows/release_pr.yml
@@ -3,6 +3,8 @@ on:
   push:
     branches:
       - main
+permissions:
+  contents: read
 
 jobs:
   release-please:
diff --git a/.github/workflows/unittests.yml b/.github/workflows/unittests.yml
index fcec4cd..f3e9089 100644
--- a/.github/workflows/unittests.yml
+++ b/.github/workflows/unittests.yml
@@ -5,6 +5,8 @@ on:
   push:
     branches:
       - main
+permissions:
+  contents: read
 
 jobs:
   test: