From 171f6ade50087bad27fa104e1b8444a4ff65e9be Mon Sep 17 00:00:00 2001
From: Alex Tomkins <tomkins@darkzone.net>
Date: Fri, 27 Mar 2026 19:42:24 +0000
Subject: [PATCH 1/3] Tighten publish permissions

---
 .github/workflows/publish.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a116b7b..f1a672b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,8 +5,7 @@ on:
     tags:
       - "*"
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   build:

From 857971ff57a49b71633207eeed943b25fc8a3726 Mon Sep 17 00:00:00 2001
From: Alex Tomkins <tomkins@darkzone.net>
Date: Fri, 27 Mar 2026 20:14:03 +0000
Subject: [PATCH 2/3] Drop id-token for GitHub releases

---
 .github/workflows/publish.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f1a672b..8338c1c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -63,7 +63,6 @@ jobs:
       url: ${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ github.ref_name }}
     permissions:
       contents: write
-      id-token: write
 
     steps:
       - name: Download packages

From 5e2bf447f107f325c2c904bd9c24a46eac9283ca Mon Sep 17 00:00:00 2001
From: Alex Tomkins <tomkins@darkzone.net>
Date: Fri, 27 Mar 2026 20:43:57 +0000
Subject: [PATCH 3/3] Add read permission for package building

---
 .github/workflows/publish.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 8338c1c..037bae0 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,6 +12,8 @@ jobs:
     name: Build packages
     runs-on: ubuntu-24.04
     environment: publish
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout