From d9f0b75d3363adc74fed7fbe2c8bd86a1f2e70fb Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:48:38 -0400 Subject: [PATCH 1/3] ci: scope down permissions for stale-bot.yml --- .github/workflows/stale-bot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml index 49ddc47c00..92d7a86863 100644 --- a/.github/workflows/stale-bot.yml +++ b/.github/workflows/stale-bot.yml @@ -17,6 +17,10 @@ on: - cron: '0 20 * * SUN' # every Sunday at 20 am UTC: PST 0:00 AM " +permissions: + issues: write + pull-requests: write + jobs: stale-close: runs-on: ubuntu-latest From b8c3c58833d14eda056d40af29d434301cecf9ae Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:48:40 -0400 Subject: [PATCH 2/3] ci: scope down permissions for codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 1ff9f43d9a..f07a8a14c2 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -15,6 +15,9 @@ on: push: branches: [ main ] +permissions: + contents: read + jobs: analyze: # This repository only have Java and Rust code. Rust is not supported currently. From 957ce2389d8212980041b3b62ae09cfceae24a82 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:48:42 -0400 Subject: [PATCH 3/3] ci: scope down permissions for pr-build.yml --- .github/workflows/pr-build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 2c390d9ba2..943277da41 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -13,6 +13,9 @@ on: env: TEST_TAG: public.ecr.aws/aws-observability/adot-autoinstrumentation-java:test-v2 +permissions: + contents: read + jobs: static-code-checks: runs-on: ubuntu-latest