From 837bb4704af321c4336aa34ff7f8ef7c3a7c4f9e Mon Sep 17 00:00:00 2001
From: Hinano Hart <hinanohart@gmail.com>
Date: Wed, 20 May 2026 02:29:47 +0900
Subject: [PATCH 1/4] ci: add concurrency block to release.yml

---
 .github/workflows/release.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 190f379..e47569d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,10 @@ on:
     tags:
       - "v*"
 
+concurrency:
+  group: publish-${{ github.ref }}
+  cancel-in-progress: false
+
 permissions:
   contents: read
   id-token: write  # Required for OIDC trusted publishers

From f08a89cc76ef1d5ec7efd28b88e8f65974798956 Mon Sep 17 00:00:00 2001
From: Hinano Hart <hinanohart@gmail.com>
Date: Wed, 20 May 2026 02:32:37 +0900
Subject: [PATCH 2/4] ci: add minimum permissions to ci.yml

---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 09dde9c..33ca5ab 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: ["main"]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: "Python ${{ matrix.python-version }}"

From 1b3a98ade209b758047ce79863780ac6711eb603 Mon Sep 17 00:00:00 2001
From: Hinano Hart <hinanohart@gmail.com>
Date: Wed, 20 May 2026 02:32:40 +0900
Subject: [PATCH 3/4] ci: add minimum permissions to hf-deploy.yml

---
 .github/workflows/hf-deploy.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/hf-deploy.yml b/.github/workflows/hf-deploy.yml
index 27bb427..f8dd17c 100644
--- a/.github/workflows/hf-deploy.yml
+++ b/.github/workflows/hf-deploy.yml
@@ -6,6 +6,9 @@ on:
     paths:
       - "hf_space/**"
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     name: Push hf_space/ to HuggingFace Spaces

From 618711bf9bc154f2b6a2f08be308db249eecdd0e Mon Sep 17 00:00:00 2001
From: Hinano Hart <hinanohart@gmail.com>
Date: Wed, 20 May 2026 02:32:43 +0900
Subject: [PATCH 4/4] ci: add minimum permissions to nightly-a100.yml

---
 .github/workflows/nightly-a100.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/nightly-a100.yml b/.github/workflows/nightly-a100.yml
index 0ab9a83..77397d5 100644
--- a/.github/workflows/nightly-a100.yml
+++ b/.github/workflows/nightly-a100.yml
@@ -11,6 +11,9 @@ on:
         required: false
         default: "M1"
 
+permissions:
+  contents: read
+
 jobs:
   nightly:
     name: "Nightly GPU run (${{ github.event.inputs.milestone || 'M1' }})"