From a1b088cbac69d01374e2db09cd8eb2b732bd371f Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 12:04:54 +0900
Subject: [PATCH] ci: declare empty permissions on release workflow

The release job clones with DENOBOT_PAT and runs the publish_release
task using the same PAT as GITHUB_TOKEN. The workflow's own GITHUB_TOKEN
is unused. permissions:{} captures that.

Style matches the per-job blocks already declared elsewhere in this
repo's hardened workflows.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9370acc345..73539386af 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,8 @@ on:
           - patch
         required: true
 
+permissions: {}
+
 jobs:
   rust:
     name: release