From 6ac1ae2fe9b1d6ae1174bf9a7deebf3db700f69a Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:00:56 -0400 Subject: [PATCH 1/3] ci: scope down permissions for closed-issue-message.yml --- .github/workflows/closed-issue-message.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml index 3f39fa8cca..e2fd6d293b 100644 --- a/.github/workflows/closed-issue-message.yml +++ b/.github/workflows/closed-issue-message.yml @@ -2,6 +2,9 @@ name: Closed Issue Message on: issues: types: [closed] +permissions: + issues: write + jobs: auto_comment: runs-on: ubuntu-latest From 76afe9c51fb4ec790d5f91a6261a596b60103cb9 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:00:58 -0400 Subject: [PATCH 2/3] ci: scope down permissions for close-stale-issues.yml --- .github/workflows/close-stale-issues.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/close-stale-issues.yml b/.github/workflows/close-stale-issues.yml index bda44798eb..54c837df59 100644 --- a/.github/workflows/close-stale-issues.yml +++ b/.github/workflows/close-stale-issues.yml @@ -5,6 +5,10 @@ on: schedule: - cron: "0 6 * * *" +permissions: + issues: write + pull-requests: write + jobs: cleanup: runs-on: ubuntu-latest From aab2107b984fd64d529d391237cee98767f605eb Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:00:59 -0400 Subject: [PATCH 3/3] ci: scope down permissions for build-pull-request.yml --- .github/workflows/build-pull-request.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build-pull-request.yml b/.github/workflows/build-pull-request.yml index 3e9a501a2b..ca1d1d36a8 100644 --- a/.github/workflows/build-pull-request.yml +++ b/.github/workflows/build-pull-request.yml @@ -8,6 +8,9 @@ on: paths: - '**' +permissions: + contents: read + jobs: build: