From 3bcb07633548b78fb1a0c183550e5592216ed35f Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 18:05:05 -0400 Subject: [PATCH 1/3] ci: scope down permissions for git-sync.yml --- .github/workflows/git-sync.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/git-sync.yml b/.github/workflows/git-sync.yml index 3be59dee2e9..ca3c11bfbb7 100644 --- a/.github/workflows/git-sync.yml +++ b/.github/workflows/git-sync.yml @@ -5,6 +5,9 @@ on: branches: [main] workflow_dispatch: +permissions: + contents: read + jobs: git-sync: runs-on: ubuntu-latest From 8e145ff8cf062f9d7db7ee17f2549667ae40448d Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 18:05:07 -0400 Subject: [PATCH 2/3] ci: scope down permissions for update-smithy-gradle-plugin.yml --- .github/workflows/update-smithy-gradle-plugin.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/update-smithy-gradle-plugin.yml b/.github/workflows/update-smithy-gradle-plugin.yml index 46e34d0da01..b4dd2132fa2 100644 --- a/.github/workflows/update-smithy-gradle-plugin.yml +++ b/.github/workflows/update-smithy-gradle-plugin.yml @@ -6,6 +6,10 @@ on: # Runs every wednesday at 11 - cron: '0 11 * * WED' +permissions: + contents: write + pull-requests: write + jobs: get-version: runs-on: ubuntu-latest From 3a845f647b4e3eeb59cd17a4ff03671a26d08145 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 18:05:09 -0400 Subject: [PATCH 3/3] ci: scope down permissions for ci.yml --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 13c92d4378f..d8e70e5cda8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [main] +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }}