From d6da493df9fce499600e57ff73dafc5e9c7af5ed Mon Sep 17 00:00:00 2001
From: Nick Fedor <71477161+nicholas-fedor@users.noreply.github.com>
Date: Mon, 3 Feb 2025 22:33:38 -0700
Subject: [PATCH] Add permissions

---
 .github/workflows/clean-cache.yml | 4 ++++
 .github/workflows/release.yml     | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/.github/workflows/clean-cache.yml b/.github/workflows/clean-cache.yml
index 92db39a..c84eaf1 100644
--- a/.github/workflows/clean-cache.yml
+++ b/.github/workflows/clean-cache.yml
@@ -5,6 +5,10 @@ on:
     types:
       - closed
 
+permissions:
+  actions: write
+  contents: read
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 55f0e92..6f4d784 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,12 @@ on:
       - "v[0-9]+.[0-9]+.[0-9]+"
       - "**/v[0-9]+.[0-9]+.[0-9]+"
 
+permissions:
+  contents: read  # Needed for all jobs to checkout the repository
+  packages: write # For the build job to push to GHCR
+  attestations: write # For managing attestations in the build job
+  id-token: write # For OIDC token usage in the build and potentially in the renew-docs job
+
 jobs:
   lint:
     name: Lint