From d448de2d5b0fa208fede648ccd34bb3ea7653c45 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 14:42:57 -0400
Subject: [PATCH 1/2] ci: scope down permissions for stale-bot.yml

---
 .github/workflows/stale-bot.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml
index b901bd785..3261e292f 100644
--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@@ -16,6 +16,10 @@ on:
   schedule:
     - cron: '0 20 * * SUN' # every Sunday at 20 am UTC: PST 0:00 AM "
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale-close:
     runs-on: ubuntu-22.04

From 67d57f341163fca41a2ed3cba7e808c9520a576c Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 14:42:58 -0400
Subject: [PATCH 2/2] ci: scope down permissions for codeql-analysis.yml

---
 .github/workflows/codeql-analysis.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 660040a08..ddd971bc0 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: '29 8 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze