Set minimum permissions to workflows is important to keep your repository safe against supply-chain attacks. GitHub gives a GITHUB_TOKEN for workflows to perform actions. The problem is that GITHUB_TOKEN is granted higher permissions by default, making way to supply-chain attacks. If you agree, I can try to adjust the permissions for auto-publish.yml workflow in a PR :)

This setting is considered good-practice and recommended by GitHub itself and by other security tools, such as Scorecards and StepSecurity.

Additional context
About me, I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

Hi! Friendly ping here. This issue has been idle for quite some time. Do you plan on considering these changes? If yes, please let me know! Otherwise I will wait up to 2 more months to close the issue. Thanks!

@gabibguti sure, a PR would be cool. Thanks.