From 65f18b051a6f0023eae1db196bdf0ab9bfa951df Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 29 Jun 2025 04:31:59 +0000
Subject: [PATCH 1/2] Initial plan


From afb9a81a9cab1085bb7725f55e5625aa29a05b69 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 29 Jun 2025 04:45:50 +0000
Subject: [PATCH 2/2] Remove redundant contents:read from job-specific
 permission blocks

Co-authored-by: trask <218610+trask@users.noreply.github.com>
---
 .github/workflows/codeql.yml                          | 2 --
 .github/workflows/issue-management-feedback-label.yml | 1 -
 .github/workflows/issue-management-stale-action.yml   | 1 -
 .github/workflows/ossf-scorecard.yml                  | 1 -
 .github/workflows/reusable-workflow-notification.yml  | 1 -
 5 files changed, 6 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 9e3dcede8f..8f06464d01 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -17,7 +17,6 @@ jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
     permissions:
-      contents: read
       actions: read  # for github/codeql-action/init to get workflow details
       security-events: write  # for github/codeql-action/analyze to upload SARIF results
     strategy:
@@ -63,7 +62,6 @@ jobs:
 
   workflow-notification:
     permissions:
-      contents: read
       issues: write
     needs:
       - analyze
diff --git a/.github/workflows/issue-management-feedback-label.yml b/.github/workflows/issue-management-feedback-label.yml
index 411db8293a..082b398fe4 100644
--- a/.github/workflows/issue-management-feedback-label.yml
+++ b/.github/workflows/issue-management-feedback-label.yml
@@ -10,7 +10,6 @@ permissions:
 jobs:
   issue_comment:
     permissions:
-      contents: read
       issues: write
       pull-requests: write
     if: >
diff --git a/.github/workflows/issue-management-stale-action.yml b/.github/workflows/issue-management-stale-action.yml
index 44fd26028c..cc968577a2 100644
--- a/.github/workflows/issue-management-stale-action.yml
+++ b/.github/workflows/issue-management-stale-action.yml
@@ -11,7 +11,6 @@ permissions:
 jobs:
   stale:
     permissions:
-      contents: read
       issues: write  # for actions/stale to close stale issues
       pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
index e30aadd326..8f2540becf 100644
--- a/.github/workflows/ossf-scorecard.yml
+++ b/.github/workflows/ossf-scorecard.yml
@@ -14,7 +14,6 @@ permissions:
 jobs:
   analysis:
     permissions:
-      contents: read
       # Needed for Code scanning upload
       security-events: write
       # Needed for GitHub OIDC token if publish_results is true
diff --git a/.github/workflows/reusable-workflow-notification.yml b/.github/workflows/reusable-workflow-notification.yml
index d45bf4e079..ce0cc3441c 100644
--- a/.github/workflows/reusable-workflow-notification.yml
+++ b/.github/workflows/reusable-workflow-notification.yml
@@ -15,7 +15,6 @@ permissions:
 jobs:
   workflow-notification:
     permissions:
-      contents: read
       issues: write
     runs-on: ubuntu-latest
     steps: