From b9371ebfa7b3e2940acbb44b284bd830db716411 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 14:55:54 -0400
Subject: [PATCH 1/4] ci: scope down permissions for release_pr.yml

---
 .github/workflows/release_pr.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/release_pr.yml b/.github/workflows/release_pr.yml
index 1c9ab02f..fc4a193b 100644
--- a/.github/workflows/release_pr.yml
+++ b/.github/workflows/release_pr.yml
@@ -17,6 +17,10 @@ env:
   GIT_USER_NAME: amplify-android-dev+ghops
   GIT_USER_EMAIL: amplify-android-dev+ghops@amazon.com
   BASE_BRANCH: ${{ github.ref_name }}
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   create_pr_for_next_release:
     runs-on: ubuntu-latest

From cdadd38fcb33973e587145325e9cfcffa77f6ef8 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 14:55:56 -0400
Subject: [PATCH 2/4] ci: scope down permissions for notify_pull_request.yml

---
 .github/workflows/notify_pull_request.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/notify_pull_request.yml b/.github/workflows/notify_pull_request.yml
index 419f4a8f..c4c7cda1 100644
--- a/.github/workflows/notify_pull_request.yml
+++ b/.github/workflows/notify_pull_request.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [opened, ready_for_review, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   notify:
     runs-on: ubuntu-latest

From b14d5f407db9407025297d626b7ab090ef68bbb7 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 14:55:58 -0400
Subject: [PATCH 3/4] ci: scope down permissions for notify_release.yml

---
 .github/workflows/notify_release.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/notify_release.yml b/.github/workflows/notify_release.yml
index b2544dac..4a46a128 100644
--- a/.github/workflows/notify_release.yml
+++ b/.github/workflows/notify_release.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [created, published]
 
+permissions:
+  contents: read
+
 jobs:
   notify:
     runs-on: ubuntu-latest

From 7caa3777e5d6c235a8ac227b028b7d17661dd762 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 14:55:59 -0400
Subject: [PATCH 4/4] ci: scope down permissions for codecov_code_coverage.yml

---
 .github/workflows/codecov_code_coverage.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/codecov_code_coverage.yml b/.github/workflows/codecov_code_coverage.yml
index 4e12253b..c76f6a60 100644
--- a/.github/workflows/codecov_code_coverage.yml
+++ b/.github/workflows/codecov_code_coverage.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - 'main'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest