From 0231b37bdda698f9e5ab478b626d5cd46efa6abc Mon Sep 17 00:00:00 2001
From: labkey-tchad <tchad@labkey.com>
Date: Mon, 13 Oct 2025 15:21:06 -0700
Subject: [PATCH] Add explicit permissions to GitHub workflows

---
 .github/workflows/branch_release.yml | 4 ++++
 .github/workflows/merge_release.yml  | 4 ++++
 .github/workflows/validate_pr.yml    | 3 +++
 3 files changed, 11 insertions(+)

diff --git a/.github/workflows/branch_release.yml b/.github/workflows/branch_release.yml
index b864e7156..e0b4cfc12 100644
--- a/.github/workflows/branch_release.yml
+++ b/.github/workflows/branch_release.yml
@@ -8,6 +8,10 @@ on:
     tags:
       - '*'
 
+permissions:
+  pull-requests: write
+  contents: write
+
 jobs:
   branch_release:
     if: github.event.created && github.event.sender.login == 'labkey-teamcity'
diff --git a/.github/workflows/merge_release.yml b/.github/workflows/merge_release.yml
index 440c9a3b6..f6d8d6ea0 100644
--- a/.github/workflows/merge_release.yml
+++ b/.github/workflows/merge_release.yml
@@ -8,6 +8,10 @@ on:
     types:
       - submitted
 
+permissions:
+  pull-requests: write
+  contents: write
+
 jobs:
   merge_release:
     if: >
diff --git a/.github/workflows/validate_pr.yml b/.github/workflows/validate_pr.yml
index b567d8aea..82d9a7a73 100644
--- a/.github/workflows/validate_pr.yml
+++ b/.github/workflows/validate_pr.yml
@@ -10,6 +10,9 @@ on:
       - reopened
       - ready_for_review
 
+permissions:
+  pull-requests: read
+
 jobs:
   validate_pr:
     if: github.event.pull_request.head.repo.owner.login == 'LabKey'