2 files changed, 20 insertions, 4 deletions

diff --git a/.github/workflows/bun-release-canary.yml b/.github/workflows/bun-release-canary.yml
index e9d9f4339..aaaf3d48e 100644
--- a/.github/workflows/bun-release-canary.yml
+++ b/.github/workflows/bun-release-canary.yml
@@ -9,6 +9,8 @@ jobs:
     name: Sign Release
     runs-on: ubuntu-latest
     if: github.repository_owner == 'oven-sh'
+    permissions:
+      contents: write
     defaults:
       run:
         working-directory: packages/bun-release
@@ -42,6 +44,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: sign
     if: github.repository_owner == 'oven-sh'
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: packages/bun-release
@@ -68,6 +72,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: sign
     if: github.repository_owner == 'oven-sh'
+    permissions:
+      contents: read
     strategy:
       matrix:
         variant:
@@ -118,6 +124,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: sign
     if: github.repository_owner == 'oven-sh'
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: packages/bun-release
diff --git a/.github/workflows/bun-release.yml b/.github/workflows/bun-release.yml
index ab08246e0..294a41ea6 100644
--- a/.github/workflows/bun-release.yml
+++ b/.github/workflows/bun-release.yml
@@ -13,9 +13,10 @@ on:
 jobs:
   sign:
     name: Sign Release
-    permissions: write-all
     runs-on: ubuntu-latest
     if: github.repository_owner == 'oven-sh'
+    permissions:
+      contents: write
     defaults:
       run:
         working-directory: packages/bun-release
@@ -54,9 +55,10 @@ jobs:
   npm:
     name: Release to NPM
     runs-on: ubuntu-latest
-    permissions: write-all
     needs: sign
     if: github.repository_owner == 'oven-sh'
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: packages/bun-release
@@ -90,6 +92,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: sign
     if: github.repository_owner == 'oven-sh'
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: packages/bun-types
@@ -133,6 +137,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: sign
     if: github.repository_owner == 'oven-sh'
+    permissions:
+      contents: read
     strategy:
       matrix:
         variant:
@@ -191,10 +197,11 @@ jobs:
             BUN_VERSION=${{ env.TAG }}
   homebrew:
     name: Release to Homebrew
-    permissions: write-all
     runs-on: ubuntu-latest
     needs: sign
     if: github.repository_owner == 'oven-sh'
+    permissions:
+      contents: read
     steps:
       - id: checkout
         name: Checkout
@@ -235,9 +242,10 @@ jobs:
   s3:
     name: Upload to S3
     runs-on: ubuntu-latest
-    permissions: write-all
     needs: sign
     if: github.repository_owner == 'oven-sh'
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: packages/bun-release