From aea0d1888bca55468251e0c2247fbd8608b6cf40 Mon Sep 17 00:00:00 2001
From: Kent Gruber <kent.gruber@temporal.io>
Date: Wed, 29 Oct 2025 15:07:43 -0400
Subject: [PATCH 1/2] Set explicit permissions for GitHub Actions workflows

This change was made by an automated process to ensure all GitHub Actions workflows have explicitly defined permissions as per best practices.
---
 .github/workflows/docker.yml          | 3 ++-
 .github/workflows/goreleaser.yml      | 2 ++
 .github/workflows/test.yml            | 3 ++-
 .github/workflows/trigger-publish.yml | 3 ++-
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 3e5c2e8..9eb003f 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,5 +1,6 @@
 name: Publish Docker image
-
+permissions:
+  contents: read
 on:
   push:
     branches:
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
index 0dd8c84..123acb1 100644
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -1,4 +1,6 @@
 name: goreleaser
+permissions:
+  contents: write
 on:
   release:
     types:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 2a6de2d..a2df6a7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,5 +1,6 @@
 name: Test
-
+permissions:
+  contents: read
 on:
   push:
     branches: [main]
diff --git a/.github/workflows/trigger-publish.yml b/.github/workflows/trigger-publish.yml
index 1448274..b70913b 100644
--- a/.github/workflows/trigger-publish.yml
+++ b/.github/workflows/trigger-publish.yml
@@ -1,5 +1,6 @@
 name: 'Trigger Docker image build'
-
+permissions:
+  contents: read
 on:
   push:
     branches:

From 0fc4c9dcb7d61f2cfcdd29dfa34f345f3342f9ef Mon Sep 17 00:00:00 2001
From: Kent Gruber <kent.gruber@temporal.io>
Date: Thu, 29 Jan 2026 09:42:26 -0500
Subject: [PATCH 2/2] Add CODEOWNERS file

---
 .github/CODEOWNERS | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .github/CODEOWNERS

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..34903e4
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @temporalio/server
\ No newline at end of file