From 08f8bc41e34de3664680df26997e461c74c4b125 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 1 Jul 2025 00:00:04 +0000
Subject: [PATCH 1/2] Initial plan


From 3ab951b6f1998e861c2fbbb638b545b460a5fa30 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 1 Jul 2025 00:05:25 +0000
Subject: [PATCH 2/2] Changes before error encountered

Co-authored-by: trask <218610+trask@users.noreply.github.com>
---
 .github/workflows/backport.yml            | 3 +++
 .github/workflows/changelog.yml           | 3 +++
 .github/workflows/codeql-analysis.yml     | 3 +++
 .github/workflows/component-owners.yml    | 3 +++
 .github/workflows/core_contrib_test_0.yml | 3 +++
 .github/workflows/lint_0.yml              | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 26789093f2..787b2420ac 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -6,6 +6,9 @@ on:
         description: "The pull request # to backport"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   backport:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index 491ddd27fa..cbbc612f03 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -10,6 +10,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   changelog:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 8ef01d21cb..5416c39d5a 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,6 +14,9 @@ on:
     #        *  * * * *
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml
index f0068701f7..cd84f16095 100644
--- a/.github/workflows/component-owners.yml
+++ b/.github/workflows/component-owners.yml
@@ -6,6 +6,9 @@ name: 'Component Owners'
 on:
   pull_request_target:
 
+permissions:
+  contents: read
+
 jobs:
   run_self:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/core_contrib_test_0.yml b/.github/workflows/core_contrib_test_0.yml
index fce687457e..e3362fb45b 100644
--- a/.github/workflows/core_contrib_test_0.yml
+++ b/.github/workflows/core_contrib_test_0.yml
@@ -13,6 +13,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 env:
   CORE_REPO_SHA: ${{ inputs.CORE_REPO_SHA }}
   CONTRIB_REPO_SHA: ${{ inputs.CONTRIB_REPO_SHA }}
diff --git a/.github/workflows/lint_0.yml b/.github/workflows/lint_0.yml
index 406e1aecb0..8583425708 100644
--- a/.github/workflows/lint_0.yml
+++ b/.github/workflows/lint_0.yml
@@ -9,6 +9,9 @@ on:
     - 'release/*'
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true