open-component-model
diff --git a/‎.github/workflows/actionlint.yaml‎
Lines changed: 0 additions & 11 deletions b/‎.github/workflows/actionlint.yaml‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎.github/workflows/actionlint.yml‎
Lines changed: 0 additions & 19 deletions b/‎.github/workflows/actionlint.yml‎
Lines changed: 0 additions & 19 deletions
diff --git a/‎.github/workflows/codespell.yml‎
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/codespell.yml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/markdown.yml‎
Lines changed: 0 additions & 41 deletions b/‎.github/workflows/markdown.yml‎
Lines changed: 0 additions & 41 deletions
diff --git a/‎.github/workflows/safe-settings.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/workflows/safe-settings.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/workflows/stale.yml‎
Lines changed: 6 additions & 4 deletions b/‎.github/workflows/stale.yml‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎.github/workflows/validation.yml‎
Lines changed: 4 additions & 2 deletions b/‎.github/workflows/validation.yml‎
Lines changed: 4 additions & 2 deletions
@@ -12,6 +12,9 @@ on:
         default: './**/*.y*ml ./**/*.go'
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   codespell:
     name: codespell
 
@@ -9,6 +9,12 @@ on:
     paths:
       - safe-settings/**
       - .github/workflows/safe-settings.yml
+
+# safe-settings authenticates via the OCMBOT GitHub App (APP_ID/PRIVATE_KEY),
+# so GITHUB_TOKEN only needs read access for checkout.
+permissions:
+  contents: read
+
 jobs:
   safeSettingsSync:
     name: synchronize settings
 
@@ -18,13 +18,15 @@ on:
         default: 'lifecycle/stale'
         type: string
 
-permissions:
-  contents: read # only for delete-branch option we would need write
-  issues: write
-  pull-requests: write
+permissions: {}
+
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # only for delete-branch option we would need write
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@v9
         with:
 
@@ -4,11 +4,13 @@ on:
     types:
       - opened
 
-permissions:
-  issues: write
+permissions: {}
+
 jobs:
   add-labels:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: Add default Labels to new issues
         uses: actions/github-script@v7