From ebb07f75c20101e620866aeac09a04910a710579 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 15:16:35 +0900
Subject: [PATCH] ci: declare empty permissions on release workflow

The release job authenticates every write path through DENOBOT_PAT:
the actions/checkout step pulls with that token, and the tag-and-
release step explicitly sets GITHUB_TOKEN=${{ secrets.DENOBOT_PAT }}
when invoking @deno/rust-automation publish-release. The workflow's
own GITHUB_TOKEN is unused.

permissions: {} at the job level documents that and matches the
per-job style used by ci.yml and publish.yml (contents:read +
id-token:write).

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6272f7499..35be70c94 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,6 +17,7 @@ jobs:
     name: release
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions: {}
 
     steps:
       - name: Clone repository