ci: scope down GitHub Token permissions (#570)

AdnaneKhan · web-flow · commit b5d9f76fe0ff · 2026-01-13T15:51:28.000Z
* ci: scope down permissions for repo-sync.yml

* ci: scope down permissions for aws-lambda-java-serialization.yml

* ci: scope down permissions for aws-lambda-java-events-sdk-transformer.yml

* ci: scope down permissions for samples.yml

* ci: scope down permissions for aws-lambda-java-log4j2.yml

* ci: scope down permissions for aws-lambda-java-tests.yml

* ci: scope down permissions for runtime-interface-client_pr.yml

* ci: scope down permissions for aws-lambda-java-events.yml

* ci: scope down permissions for aws-lambda-java-core.yml
diff --git a/.github/workflows/aws-lambda-java-core.yml b/.github/workflows/aws-lambda-java-core.yml
@@ -14,6 +14,9 @@ on:
       - 'aws-lambda-java-core/**'
       - '.github/workflows/aws-lambda-java-core.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/aws-lambda-java-events-sdk-transformer.yml b/.github/workflows/aws-lambda-java-events-sdk-transformer.yml
@@ -14,6 +14,9 @@ on:
       - 'aws-lambda-java-events-sdk-transformer/**'
       - '.github/workflows/aws-lambda-java-events-sdk-transformer.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/aws-lambda-java-events.yml b/.github/workflows/aws-lambda-java-events.yml
@@ -14,6 +14,9 @@ on:
       - 'aws-lambda-java-events/**'
       - '.github/workflows/aws-lambda-java-events.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/aws-lambda-java-log4j2.yml b/.github/workflows/aws-lambda-java-log4j2.yml
@@ -14,6 +14,9 @@ on:
       - 'aws-lambda-java-log4j2/**'
       - '.github/workflows/aws-lambda-java-log4j2.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/aws-lambda-java-serialization.yml b/.github/workflows/aws-lambda-java-serialization.yml
@@ -14,6 +14,9 @@ on:
       - 'aws-lambda-java-serialization/**'
       - '.github/workflows/aws-lambda-java-serialization.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/aws-lambda-java-tests.yml b/.github/workflows/aws-lambda-java-tests.yml
@@ -14,6 +14,9 @@ on:
       - 'aws-lambda-java-tests/**'
       - '.github/workflows/aws-lambda-java-tests.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml
@@ -9,6 +9,10 @@ on:
       - '.github/workflows/repo-sync.yml'
   workflow_dispatch:
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   repo-sync:
     name: Repo Sync
diff --git a/.github/workflows/runtime-interface-client_pr.yml b/.github/workflows/runtime-interface-client_pr.yml
@@ -10,6 +10,9 @@ on:
       - 'aws-lambda-java-runtime-interface-client/**'
       - '.github/workflows/runtime-interface-client_*.yml'
 
+permissions:
+  contents: read
+
 jobs:
 
   smoke-test:
diff --git a/.github/workflows/samples.yml b/.github/workflows/samples.yml
@@ -14,6 +14,9 @@ on:
       - 'samples/**'
       - '.github/workflows/samples.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
