From bc734798e37a25d9e2c37150c62a33821a70c656 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Mon, 16 Feb 2026 08:12:45 -0800
Subject: [PATCH] Add permissions

---
 .github/workflows/ci.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6842ac0f3..cea2e84af 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -359,6 +359,9 @@ jobs:
   build-docker-image:
     name: Build Docker image for ${{ github.event_name == 'pull_request' && github.head_ref || github.ref_name }}
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
     if: (github.event_name == 'push' && (startsWith(github.ref, 'refs/heads/feature-') || startsWith(github.ref, 'refs/heads/fix-') || github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/beta' || contains(github.ref, 'beta.rc') || startsWith(github.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/heads/l10n_'))) || (github.event_name == 'pull_request' && (startsWith(github.head_ref, 'feature-') || startsWith(github.head_ref, 'fix-') || github.head_ref == 'dev' || github.head_ref == 'beta' || contains(github.head_ref, 'beta.rc') || startsWith(github.head_ref, 'l10n_')))
     concurrency:
       group: ${{ github.workflow }}-build-docker-image-${{ github.ref_name }}
@@ -597,6 +600,8 @@ jobs:
   publish-release:
     name: "Publish Release"
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     outputs:
       prerelease: ${{ steps.get_version.outputs.prerelease }}
       changelog: ${{ steps.create-release.outputs.body }}
@@ -643,6 +648,10 @@ jobs:
   append-changelog:
     name: "Append Changelog"
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
     needs:
       - publish-release
     if: needs.publish-release.outputs.prerelease == 'false'