From 9175c2f1a472e34434ffa040286bf0e143306a0d Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:28:46 -0400 Subject: [PATCH 1/3] ci: scope down permissions for stale_issues.yml --- .github/workflows/stale_issues.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/stale_issues.yml b/.github/workflows/stale_issues.yml index 9963cd1..1fa6d2c 100644 --- a/.github/workflows/stale_issues.yml +++ b/.github/workflows/stale_issues.yml @@ -5,6 +5,10 @@ on: schedule: - cron: "0 0 * * *" +permissions: + issues: write + pull-requests: write + jobs: cleanup: runs-on: ubuntu-latest From 82c2fd915c6f394789b528205aa91847dbdaf918 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:28:48 -0400 Subject: [PATCH 2/3] ci: scope down permissions for closed-issue-message.yml --- .github/workflows/closed-issue-message.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml index 1f28d85..df40768 100644 --- a/.github/workflows/closed-issue-message.yml +++ b/.github/workflows/closed-issue-message.yml @@ -2,6 +2,9 @@ name: Closed Issue Message on: issues: types: [closed] +permissions: + issues: write + jobs: auto_comment: runs-on: ubuntu-latest From 4756eff85483a36c3829db9f3152ecf4548e5c08 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:28:50 -0400 Subject: [PATCH 3/3] ci: scope down permissions for change-file-in-pr.yml --- .github/workflows/change-file-in-pr.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/change-file-in-pr.yml b/.github/workflows/change-file-in-pr.yml index 5a930d0..deb5f56 100644 --- a/.github/workflows/change-file-in-pr.yml +++ b/.github/workflows/change-file-in-pr.yml @@ -4,6 +4,9 @@ on: pull_request: types: [opened, synchronize, reopened, labeled] +permissions: + contents: read + jobs: check-files-in-directory: if: ${{ !contains(github.event.pull_request.labels.*.name, 'Release Not Needed') && !contains(github.event.pull_request.labels.*.name, 'Release PR') }}