ci: scope down GitHub Token permissions (#5570)

AdnaneKhan · lrstewart · dougch · web-flow · commit 6aefe741f174 · 2025-10-28T00:28:27.000Z
Co-authored-by: Lindsay Stewart &lt;slindsay@amazon.com&gt;
Co-authored-by: Doug Chapman &lt;54039637+dougch@users.noreply.github.com&gt;
Co-authored-by: maddeleine &lt;59030281+maddeleine@users.noreply.github.com&gt;
diff --git a/.github/workflows/ci_aws_kms_tls_auth.yml b/.github/workflows/ci_aws_kms_tls_auth.yml
@@ -9,6 +9,9 @@ on:
     types: [checks_requested]
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: rustfmt and clippy
diff --git a/.github/workflows/ci_freebsd.yml b/.github/workflows/ci_freebsd.yml
@@ -9,6 +9,9 @@ on:
     types: [checks_requested]
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   testfreebsd:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci_linting.yml b/.github/workflows/ci_linting.yml
@@ -8,6 +8,9 @@ on:
   merge_group:
     types: [checks_requested]
     branches: [main]
+permissions:
+  contents: read
+
 jobs:
   cppcheck:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci_openbsd.yml b/.github/workflows/ci_openbsd.yml
@@ -9,6 +9,9 @@ on:
     types: [checks_requested]
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   testopenbsd:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci_rust.yml b/.github/workflows/ci_rust.yml
@@ -23,6 +23,9 @@ env:
   # The name of a s2n-tls test gated behind the external build cfg flag.
   EXTERNAL_BUILD_TEST_NAME: test_unstable_as_ptr
 
+permissions:
+  contents: read
+
 jobs:
   generate:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -9,6 +9,10 @@ on:
     types: [checks_requested]
     branches: [main]
 
+permissions:
+  contents: write
+  pages: write
+
 jobs:
   generate-doxygen:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/gha_osx_tests.yml b/.github/workflows/gha_osx_tests.yml
@@ -10,6 +10,9 @@ on:
     types: [checks_requested]
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   OSX:
     runs-on: macos-latest
diff --git a/.github/workflows/policy_snapshot.yml b/.github/workflows/policy_snapshot.yml
@@ -14,6 +14,9 @@ env:
   COMMITTED_SNAPSHOTS: ./tests/policy_snapshot/snapshots
   GENERATED_SNAPSHOTS: ./tests/policy_snapshot/generated
   
+permissions:
+  contents: read
+
 jobs:
   snapshot:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/private_sync.yml b/.github/workflows/private_sync.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - main
+permissions:
+  contents: write
+
 jobs:
   build:
     # This should only run in one place.
diff --git a/.github/workflows/regression_ci.yml b/.github/workflows/regression_ci.yml
@@ -15,6 +15,9 @@ on:
 env:
   ROOT_PATH: bindings/rust/extended
 
+permissions:
+  contents: read
+
 jobs:
   regression-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/seccomp.yml b/.github/workflows/seccomp.yml
@@ -8,6 +8,9 @@ on:
     types: [checks_requested]
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/team_label.yml b/.github/workflows/team_label.yml
@@ -7,6 +7,9 @@ on:
       - 'main'
 name:
   team-label
+permissions:
+  pull-requests: write
+
 jobs:
   team-labeler:
     runs-on: ubuntu-latest
