Locks down permissions to the job level with least privledge we can get away with

.github/workflows/ci-backend.yml

@@ -22,6 +22,7 @@ on:
 concurrency:
   group: backend-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
+permissions: {}
 env:
   DEFAULT_UV_VERSION: "0.10.x"
   NLTK_DATA: "/usr/share/nltk_data"
@@ -29,6 +30,8 @@ jobs:
   test:
     name: "Python ${{ matrix.python-version }}"
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       matrix:
         python-version: ['3.10', '3.11', '3.12']
@@ -102,6 +105,8 @@ jobs:
   typing:
     name: Check project typing
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     env:
       DEFAULT_PYTHON: "3.12"
     steps:

.github/workflows/ci-docker.yml

@@ -15,6 +15,7 @@ on:
 concurrency:
   group: docker-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
+permissions: {}
 env:
   REGISTRY: ghcr.io
 jobs:

.github/workflows/ci-docs.yml

@@ -21,10 +21,7 @@ on:
 concurrency:
   group: docs-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
-permissions:
-  contents: read
-  pages: write
-  id-token: write
+permissions: {}
 env:
   DEFAULT_UV_VERSION: "0.10.x"
   DEFAULT_PYTHON_VERSION: "3.12"
@@ -32,6 +29,8 @@ jobs:
   build:
     name: Build Documentation
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - uses: actions/configure-pages@v5
       - name: Checkout
@@ -67,6 +66,10 @@ jobs:
     needs: build
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}

.github/workflows/ci-frontend.yml

@@ -16,10 +16,13 @@ on:
 concurrency:
   group: frontend-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
+permissions: {}
 jobs:
   install-dependencies:
     name: Install Dependencies
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -47,6 +50,8 @@ jobs:
     name: Lint
     needs: install-dependencies
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -75,6 +80,8 @@ jobs:
     name: "Unit Tests (${{ matrix.shard-index }}/${{ matrix.shard-count }})"
     needs: install-dependencies
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -121,6 +128,8 @@ jobs:
     name: "E2E Tests (${{ matrix.shard-index }}/${{ matrix.shard-count }})"
     needs: install-dependencies
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     container: mcr.microsoft.com/playwright:v1.58.2-noble
     env:
       PLAYWRIGHT_BROWSERS_PATH: /ms-playwright
@@ -161,6 +170,8 @@ jobs:
     name: Bundle Analysis
     needs: [unit-tests, e2e-tests]
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v6

.github/workflows/ci-lint.yml

@@ -9,10 +9,13 @@ on:
 concurrency:
   group: lint-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
+permissions: {}
 jobs:
   lint:
     name: Linting via prek
     runs-on: ubuntu-slim
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v6.0.2

.github/workflows/ci-release.yml

@@ -7,6 +7,7 @@ on:
 concurrency:
   group: release-${{ github.ref }}
   cancel-in-progress: false
+permissions: {}
 env:
   DEFAULT_UV_VERSION: "0.10.x"
   DEFAULT_PYTHON_VERSION: "3.12"
@@ -14,6 +15,10 @@ jobs:
   wait-for-docker:
     name: Wait for Docker Build
     runs-on: ubuntu-24.04
+    permissions:
+      # lewagon/wait-on-check-action reads workflow check runs
+      actions: read
+      contents: read
     steps:
       - name: Wait for Docker build
         uses: lewagon/wait-on-check-action@v1.5.0
@@ -26,6 +31,8 @@ jobs:
     name: Build Release
     needs: wait-for-docker
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -127,6 +134,10 @@ jobs:
     name: Publish Release
     needs: build-release
     runs-on: ubuntu-24.04
+    permissions:
+      # release-drafter reads PRs to build the changelog and creates/publishes the release
+      contents: write
+      pull-requests: read
     outputs:
       prerelease: ${{ steps.get-version.outputs.prerelease }}
       changelog: ${{ steps.create-release.outputs.body }}
@@ -174,6 +185,11 @@ jobs:
     needs: publish-release
     if: needs.publish-release.outputs.prerelease == 'false'
     runs-on: ubuntu-24.04
+    permissions:
+      # git push of the changelog branch requires contents: write
+      # github.rest.pulls.create() and github.rest.issues.addLabels() require pull-requests: write
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v6

.github/workflows/cleanup-tags.yml

@@ -12,6 +12,7 @@ on:
 concurrency:
   group: registry-tags-cleanup
   cancel-in-progress: false
+permissions: {}
 jobs:
   cleanup-images:
     name: Cleanup Image Tags for ${{ matrix.primary-name }}

.github/workflows/codeql-analysis.yml

@@ -18,6 +18,7 @@ on:
     branches: [dev]
   schedule:
     - cron: '28 13 * * 5'
+permissions: {}
 jobs:
   analyze:
     name: Analyze

.github/workflows/crowdin.yml

@@ -6,11 +6,16 @@ on:
   push:
     paths: ['src/locale/**', 'src-ui/messages.xlf', 'src-ui/src/locale/**']
     branches: [dev]
+permissions: {}
 jobs:
   synchronize-with-crowdin:
     name: Crowdin Sync
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
+    permissions:
+      # Crowdin action pushes translation branches and creates/updates PRs via GITHUB_TOKEN
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v6

.github/workflows/pr-bot.yml

@@ -2,13 +2,15 @@ name: PR Bot
 on:
   pull_request_target:
     types: [opened]
-permissions:
-  contents: read
-  pull-requests: write
+permissions: {}
 jobs:
   pr-bot:
     name: Automated PR Bot
     runs-on: ubuntu-latest
+    permissions:
+      # labeler reads file paths; all steps add labels or post comments on PRs
+      contents: read
+      pull-requests: write
     steps:
       - name: Label PR by file path or branch name
         # see .github/labeler.yml for the labeler config

.github/workflows/project-actions.yml

@@ -7,13 +7,14 @@ on:
     branches:
       - main
       - dev
-permissions:
-  contents: read
+permissions: {}
 jobs:
   pr_opened_or_reopened:
     name: pr_opened_or_reopened
     runs-on: ubuntu-24.04
     permissions:
+      # release-drafter reads its config file from the repo
+      contents: read
       # write permission is required for autolabeler
       pull-requests: write
     if: github.event_name == 'pull_request_target' && (github.event.action == 'opened' || github.event.action == 'reopened') && github.event.pull_request.user.login != 'dependabot'

.github/workflows/repo-maintenance.yml

@@ -3,10 +3,7 @@ on:
   schedule:
     - cron: '0 3 * * *'
   workflow_dispatch:
-permissions:
-  issues: write
-  pull-requests: write
-  discussions: write
+permissions: {}
 concurrency:
   group: lock
 jobs:
@@ -14,6 +11,9 @@ jobs:
     name: 'Stale'
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@v10
         with:
@@ -36,6 +36,10 @@ jobs:
     name: 'Lock Old Threads'
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
+    permissions:
+      issues: write
+      pull-requests: write
+      discussions: write
     steps:
       - uses: dessant/lock-threads@v6
         with:
@@ -56,6 +60,8 @@ jobs:
     name: 'Close Answered Discussions'
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
+    permissions:
+      discussions: write
     steps:
       - uses: actions/github-script@v8
         with:
@@ -113,6 +119,8 @@ jobs:
     name: 'Close Outdated Discussions'
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
+    permissions:
+      discussions: write
     steps:
       - uses: actions/github-script@v8
         with:
@@ -205,6 +213,8 @@ jobs:
     name: 'Close Unsupported Feature Requests'
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
+    permissions:
+      discussions: write
     steps:
       - uses: actions/github-script@v8
         with:

.github/workflows/translate-strings.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches:
       - dev
+permissions: {}
 jobs:
   generate-translate-strings:
     name: Generate Translation Strings