From 4b02d04fb48847652a6932bc992352e3da275590 Mon Sep 17 00:00:00 2001
From: Neha Oudin <17551419+Gu1nness@users.noreply.github.com>
Date: Fri, 6 Feb 2026 12:53:06 +0000
Subject: [PATCH] fix: reduce workflow permissions (#652)

---
 .github/workflows/ci.yaml      | 6 ++++++
 .github/workflows/release.yaml | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 6943df059..646248127 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -21,6 +21,8 @@ jobs:
   lint:
     name: Lint
     uses: canonical/data-platform-workflows/.github/workflows/lint.yaml@v35.0.4
+    permissions:
+      contents: read
 
   terraform-test:
     name: Terraform - Validation and replica-set product
@@ -106,6 +108,8 @@ jobs:
     name: Check libraries
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -132,6 +136,8 @@ jobs:
     with:
       path-to-charm-directory: ${{ matrix.path }}
       cache: false
+    permissions:
+      contents: read
 
   integration-test:
     name: Integration test charm
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 5f0e53f6f..796c4532f 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,7 +10,7 @@ jobs:
     uses: ./.github/workflows/ci.yaml
     secrets: inherit
     permissions:
-      contents: write # Needed for Allure Report beta
+      contents: write # Needed to create git tag
 
   release:
     name: Release charm