From 0f62c4fa79f3ee75e25d7011ca417cbefaa2c35e Mon Sep 17 00:00:00 2001
From: Manav Rathi <manav@mnvr.in>
Date: Fri, 28 Mar 2025 12:32:05 +0530
Subject: [PATCH] granular perms / docker-push

ref: https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-with-repository-scoped-permissions
---
 .github/workflows/copycat-db-release.yml  | 3 +++
 .github/workflows/server-publish-ghcr.yml | 4 ++++
 .github/workflows/server-release.yml      | 3 +++
 .github/workflows/web-publish-ghcr.yml    | 4 ++++
 4 files changed, 14 insertions(+)

diff --git a/.github/workflows/copycat-db-release.yml b/.github/workflows/copycat-db-release.yml
index 5ec942879d..ab8bac861c 100644
--- a/.github/workflows/copycat-db-release.yml
+++ b/.github/workflows/copycat-db-release.yml
@@ -3,6 +3,9 @@ name: "Release (copycat-db)"
 on:
     workflow_dispatch: # Run manually
 
+permissions:
+    contents: read
+
 jobs:
     build:
         runs-on: ubuntu-latest
diff --git a/.github/workflows/server-publish-ghcr.yml b/.github/workflows/server-publish-ghcr.yml
index 5167f8cc4c..1d2e059208 100644
--- a/.github/workflows/server-publish-ghcr.yml
+++ b/.github/workflows/server-publish-ghcr.yml
@@ -7,6 +7,10 @@ on:
     # Run manually if needed to publish out of schedule.
     workflow_dispatch:
 
+permissions:
+    contents: read
+    packages: write
+
 jobs:
     publish:
         runs-on: ubuntu-latest
diff --git a/.github/workflows/server-release.yml b/.github/workflows/server-release.yml
index fa02155300..6db84b1bfc 100644
--- a/.github/workflows/server-release.yml
+++ b/.github/workflows/server-release.yml
@@ -3,6 +3,9 @@ name: "Release (server)"
 on:
     workflow_dispatch: # Run manually
 
+permissions:
+    contents: read
+
 jobs:
     build:
         runs-on: ubuntu-latest
diff --git a/.github/workflows/web-publish-ghcr.yml b/.github/workflows/web-publish-ghcr.yml
index 76c0c3de26..b69a75977f 100644
--- a/.github/workflows/web-publish-ghcr.yml
+++ b/.github/workflows/web-publish-ghcr.yml
@@ -7,6 +7,10 @@ on:
     # Run manually if needed to publish out of schedule.
     workflow_dispatch:
 
+permissions:
+    contents: read
+    packages: write
+
 jobs:
     publish:
         runs-on: ubuntu-latest