From f07e339171ef3496ae76d23c21757f76a51a6bcc Mon Sep 17 00:00:00 2001
From: Thomas Neidhart <thomas.neidhart@eclipse-foundation.org>
Date: Sat, 26 Oct 2024 20:51:03 +0200
Subject: [PATCH] chore: improve permissions for release workflow

---
 .github/workflows/release.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b1c5ae8b..f1ac8066 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -23,6 +23,9 @@ env:
   IMAGE_NAME: ${{ github.repository }}
   PYTHON_VERSION: '3.11'
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
@@ -30,8 +33,6 @@ concurrency:
 jobs:
   precheck:
     runs-on: ubuntu-22.04
-    permissions:
-      contents: write
     if: github.repository == 'eclipse-csi/otterdog'
     steps:
       - name: Check ref
@@ -115,7 +116,6 @@ jobs:
     runs-on: ubuntu-22.04
     needs: ['release']
     permissions:
-      contents: read
       packages: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -155,7 +155,6 @@ jobs:
       name: pypi
       url: https://pypi.org/p/otterdog
     permissions:
-      contents: read
       id-token: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1