From a453348fb03637e74b307cd681d6b79bb428a251 Mon Sep 17 00:00:00 2001
From: Mason Daugherty <mason@langchain.dev>
Date: Tue, 31 Mar 2026 13:31:16 -0400
Subject: [PATCH] ci: tighten top-level release permissions to `contents: read`
 (#36404)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Tighten the top-level `permissions` default in the release workflow from
`contents: write` to `contents: read`. All 8 jobs already declare their
own `permissions` blocks, so this has zero functional impact — but it
prevents any future job added without explicit permissions from silently
inheriting write access.
---
 .github/workflows/_release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/_release.yml b/.github/workflows/_release.yml
index 8443cca30bf..8aa093abdd6 100644
--- a/.github/workflows/_release.yml
+++ b/.github/workflows/_release.yml
@@ -37,7 +37,7 @@ env:
   UV_NO_SYNC: "true"
 
 permissions:
-  contents: write # Required for creating GitHub releases
+  contents: read # Job-level overrides grant write only where needed (mark-release)
 
 jobs:
   # Build the distribution package and extract version info