From b7e448488f9a5b0e62de40ec9aeafe4615793d36 Mon Sep 17 00:00:00 2001
From: ppinchuk <pinchukpaul@gmail.com>
Date: Mon, 17 Nov 2025 12:19:23 -0700
Subject: [PATCH 1/4] Enhance release drafter

---
 .github/release-drafter.yml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
index f6aacc723..c54fc4d14 100644
--- a/.github/release-drafter.yml
+++ b/.github/release-drafter.yml
@@ -1,3 +1,6 @@
+name-template: 'Draft: v$RESOLVED_VERSION'
+tag-template: 'v$RESOLVED_VERSION'
+change-template: '- $TITLE (#$NUMBER) @$AUTHOR'
 categories:
   - title: 'Breaking Changes'
     labels:
@@ -21,6 +24,26 @@ categories:
       - 'dependencies'
       - 'chore'
       - 'github_actions'
+version-resolver:
+  major:
+    labels:
+      - 'breaking'
+  minor:
+    labels:
+      - 'feature'
+      - 'enhancement'
+      - 'new computation'
+  patch:
+    labels:
+      - 'fix'
+      - 'bug'
+      - 'bugfix'
+      - 'refactor'
+      - 'documentation'
+      - 'dependencies'
+      - 'chore'
+      - 'github_actions'
+  default: patch
 template: |
   # What's Changed
 

From b9981d7d9f3ce14a2aa3862ae49489b1ab238a83 Mon Sep 17 00:00:00 2001
From: ppinchuk <pinchukpaul@gmail.com>
Date: Mon, 17 Nov 2025 12:23:43 -0700
Subject: [PATCH 2/4] Add explicit permissions to GHA

---
 .github/workflows/ci-python.yml       | 2 ++
 .github/workflows/ci-rust.yml         | 2 ++
 .github/workflows/codecov.yml         | 2 ++
 .github/workflows/publish_to_pypi.yml | 2 ++
 .github/workflows/release_drafter.yml | 2 ++
 5 files changed, 10 insertions(+)

diff --git a/.github/workflows/ci-python.yml b/.github/workflows/ci-python.yml
index 3b3af0c0d..56c9e9967 100644
--- a/.github/workflows/ci-python.yml
+++ b/.github/workflows/ci-python.yml
@@ -1,4 +1,6 @@
 name: Python checks
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/.github/workflows/ci-rust.yml b/.github/workflows/ci-rust.yml
index e5a196d38..4fd593b27 100644
--- a/.github/workflows/ci-rust.yml
+++ b/.github/workflows/ci-rust.yml
@@ -1,4 +1,6 @@
 name: Rust Checks
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
index 938bb72d6..2e70adcba 100644
--- a/.github/workflows/codecov.yml
+++ b/.github/workflows/codecov.yml
@@ -22,6 +22,8 @@ jobs:
   run:
     name: Codecov
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v5
       with:
diff --git a/.github/workflows/publish_to_pypi.yml b/.github/workflows/publish_to_pypi.yml
index 4f23e6c4d..419d12646 100644
--- a/.github/workflows/publish_to_pypi.yml
+++ b/.github/workflows/publish_to_pypi.yml
@@ -8,6 +8,8 @@ on:
 jobs:
   deploy:
     name: Build and upload wheels
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/v')
 
diff --git a/.github/workflows/release_drafter.yml b/.github/workflows/release_drafter.yml
index cf1c4f7f2..c31811563 100644
--- a/.github/workflows/release_drafter.yml
+++ b/.github/workflows/release_drafter.yml
@@ -6,6 +6,8 @@ on:
 
 jobs:
   update_release_draft:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Release Drafter

From fb47de01602c2de6a5115717c2ca3602581c7de7 Mon Sep 17 00:00:00 2001
From: ppinchuk <pinchukpaul@gmail.com>
Date: Mon, 17 Nov 2025 15:47:00 -0700
Subject: [PATCH 3/4] Update permissions

---
 .github/workflows/ci-rust.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci-rust.yml b/.github/workflows/ci-rust.yml
index 4fd593b27..eda92dfc4 100644
--- a/.github/workflows/ci-rust.yml
+++ b/.github/workflows/ci-rust.yml
@@ -1,6 +1,7 @@
 name: Rust Checks
 permissions:
-  contents: read
+  contents: write
+  packages: write
 
 on:
   push:

From e2ceaca52fe3766a939053b560b5d3a99e978e46 Mon Sep 17 00:00:00 2001
From: ppinchuk <pinchukpaul@gmail.com>
Date: Mon, 17 Nov 2025 16:36:51 -0700
Subject: [PATCH 4/4] Remove permissions tag for now

---
 .github/workflows/ci-rust.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/ci-rust.yml b/.github/workflows/ci-rust.yml
index eda92dfc4..e5a196d38 100644
--- a/.github/workflows/ci-rust.yml
+++ b/.github/workflows/ci-rust.yml
@@ -1,7 +1,4 @@
 name: Rust Checks
-permissions:
-  contents: write
-  packages: write
 
 on:
   push: