smartcontractkit · cl-efornaciari · Feb 20, 2026 · Feb 20, 2026
@@ -5,10 +5,17 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   changesets:
     name: Changesets
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: write
     steps:
       # Checkout this repository
       - name: Checkout Repo

@@ -7,6 +7,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   contracts_run_ts_tests:
     name: Run Typescript Tests

@@ -7,6 +7,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   run_examples_tests:
     name: Run Tests

@@ -3,6 +3,9 @@ name: golangci_lint
 on:
   push:
 
+permissions:
+  contents: read
+
 jobs:
   golangci-lint-version:
     name: Get golangci-lint version to from nix

@@ -6,6 +6,9 @@ on:
     branches:
       - develop
 
+permissions:
+  contents: read
+
 env:
   ECR_TAG: ${{ secrets.QA_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.QA_AWS_REGION }}.amazonaws.com/chainlink-starknet-tests:develop
 

@@ -19,6 +19,9 @@ concurrency:
   group: integration-tests-starknet-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 env:
   # for PR builds, ${{ github.sha }} is the temporary merge commit, we want the head commit instead
   SN_SHA: ${{ github.event.pull_request.head.sha || github.sha }}

@@ -20,6 +20,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 env:
   TEST_LOG_LEVEL: debug
   CL_ECR: ${{ secrets.QA_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.QA_AWS_REGION }}.amazonaws.com/chainlink

@@ -7,6 +7,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   gauntlet_eslint:
     name: Gauntlet ESLint

@@ -7,6 +7,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   lint_format_check:
     name: Format Check

@@ -8,6 +8,9 @@ on:
       - monitoring/**
       - relayer/**
 
+permissions:
+  contents: read
+
 jobs:
   build-and-publish-monitoring:
     runs-on: ubuntu-latest

@@ -7,6 +7,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   relayer_run_unit_tests:
     name: Run Unit Tests ${{ matrix.test-type.name }}

@@ -3,10 +3,15 @@ name: Starknet Gauntlet CLI Release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   starknet-gauntlet-cli-release:
     name: Starknet Gauntlet CLI Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       # Checkout this repository
       - name: Checkout Repo

@@ -3,10 +3,15 @@ name: Starknet Relayer Release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   starknet-relayer-release:
     name: Release Starknet Relayer
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       # Checkout this repository
       - name: Checkout Repo

@@ -3,6 +3,9 @@ name: SonarQube Scan
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   wait_for_workflows:
     name: Wait for workflows

@@ -7,6 +7,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   zizmor_analyzer:
     name: Zizmor