From d37c3ddf2673673262de32d8d390c6b4aa14902c Mon Sep 17 00:00:00 2001
From: Rupato Braganza <rupato@deriv.com>
Date: Tue, 1 Jul 2025 11:50:30 +0800
Subject: [PATCH] fix: workflow permissons

---
 .github/workflows/coveralls.yml          | 2 ++
 .github/workflows/release_production.yml | 6 ++++++
 .github/workflows/release_staging.yml    | 2 ++
 .github/workflows/release_test.yml       | 2 ++
 .github/workflows/translation_push.yml   | 2 ++
 5 files changed, 14 insertions(+)

diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml
index 4c56e6f3f..15fee4ed1 100755
--- a/.github/workflows/coveralls.yml
+++ b/.github/workflows/coveralls.yml
@@ -10,6 +10,8 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
diff --git a/.github/workflows/release_production.yml b/.github/workflows/release_production.yml
index 65ad59a4c..ff0d070d4 100644
--- a/.github/workflows/release_production.yml
+++ b/.github/workflows/release_production.yml
@@ -10,6 +10,8 @@ jobs:
     name: Builds and Publishes to Cloudflare Pages Production
     environment: Production
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       RELEASE_VERSION: ${{ steps.extract_version.outputs.RELEASE_VERSION }}
     steps:
@@ -50,6 +52,8 @@ jobs:
     name: Send Slack Notification
     environment: Production
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: always()
     needs: [build_and_publish]
     steps:
@@ -75,6 +79,8 @@ jobs:
     name: Publish to Vercel DR
     runs-on: ubuntu-latest
     environment: Production
+    permissions:
+      contents: read
     needs: [build_and_publish]
     steps:
       - name: Checkout
diff --git a/.github/workflows/release_staging.yml b/.github/workflows/release_staging.yml
index 31a2ef940..ce11c6934 100644
--- a/.github/workflows/release_staging.yml
+++ b/.github/workflows/release_staging.yml
@@ -8,6 +8,8 @@ jobs:
     name: Builds and Publishes to Cloudflare Pages Staging
     runs-on: ubuntu-latest # TODO: Replace this with the appropriate runner for Deriv-Api-Docs when provided
     environment: Staging
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
diff --git a/.github/workflows/release_test.yml b/.github/workflows/release_test.yml
index a9aaeda23..f529a0a69 100644
--- a/.github/workflows/release_test.yml
+++ b/.github/workflows/release_test.yml
@@ -12,6 +12,8 @@ jobs:
     name: Builds and Publishes to Cloudflare Pages Test
     environment: Staging
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       RELEASE_VERSION: ${{ steps.extract_version.outputs.RELEASE_VERSION }}
     steps:
diff --git a/.github/workflows/translation_push.yml b/.github/workflows/translation_push.yml
index 5227ef749..49e66810b 100644
--- a/.github/workflows/translation_push.yml
+++ b/.github/workflows/translation_push.yml
@@ -6,6 +6,8 @@ on:
 jobs:
   crowdin-upload:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11