From c89b5eb2e759f89078e2d58a4c51a832e8558ab8 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:19:46 -0400 Subject: [PATCH 1/9] ci: scope down permissions for fail-master-prs.yml --- .github/workflows/fail-master-prs.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/fail-master-prs.yml b/.github/workflows/fail-master-prs.yml index 671b81edb066..e6ca087aab00 100644 --- a/.github/workflows/fail-master-prs.yml +++ b/.github/workflows/fail-master-prs.yml @@ -4,6 +4,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: fail: runs-on: ubuntu-latest From e5585623cdccef3f59543cfff64e0ea3e95e8060 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:19:48 -0400 Subject: [PATCH 2/9] ci: scope down permissions for run-bundle-test.yml --- .github/workflows/run-bundle-test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/run-bundle-test.yml b/.github/workflows/run-bundle-test.yml index bd1b0a26df8a..f95124a6a43e 100644 --- a/.github/workflows/run-bundle-test.yml +++ b/.github/workflows/run-bundle-test.yml @@ -8,6 +8,9 @@ on: pull_request: branches-ignore: [ master ] +permissions: + contents: read + jobs: test-bundle: runs-on: ${{ matrix.os }} From ea9470c83114aa6aacbf5550a8454d8c227e4f94 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:19:49 -0400 Subject: [PATCH 3/9] ci: scope down permissions for changelog.yml --- .github/workflows/changelog.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 643fc7f96ffa..c94a3e92a585 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -41,6 +41,9 @@ on: link. required: true +permissions: + contents: write + jobs: add-changelog: runs-on: Ubuntu-latest From 1f9cce62cd7297d3194899dfe80a4d2519632741 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:19:51 -0400 Subject: [PATCH 4/9] ci: scope down permissions for update-lockfiles.yml --- .github/workflows/update-lockfiles.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/update-lockfiles.yml b/.github/workflows/update-lockfiles.yml index 5dcf8e4352c1..745737b46dd3 100644 --- a/.github/workflows/update-lockfiles.yml +++ b/.github/workflows/update-lockfiles.yml @@ -20,6 +20,9 @@ on: the generated files. +permissions: + contents: write + jobs: update-lockfiles: From da21b6eb749cc014739b5c729a0325a2cea31fcc Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:19:53 -0400 Subject: [PATCH 5/9] ci: scope down permissions for run-tests.yml --- .github/workflows/run-tests.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index dbcdc6d351b5..243894dda2c4 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -5,6 +5,9 @@ on: pull_request: branches-ignore: [ master ] +permissions: + contents: read + jobs: build: From d3ff3fa5bee4a461a616a83a8f75c1b285101800 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:19:55 -0400 Subject: [PATCH 6/9] ci: scope down permissions for closed-issue-message.yml --- .github/workflows/closed-issue-message.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml index 6ab5db076912..66f8a2e75052 100644 --- a/.github/workflows/closed-issue-message.yml +++ b/.github/workflows/closed-issue-message.yml @@ -2,6 +2,9 @@ name: Closed Issue Message on: issues: types: [closed] +permissions: + issues: write + jobs: auto_comment: runs-on: ubuntu-latest From 098a24cba88dc221dc6e326d79c6c00cee49c3c8 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:19:56 -0400 Subject: [PATCH 7/9] ci: scope down permissions for stale_community_prs.yml --- .github/workflows/stale_community_prs.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/stale_community_prs.yml b/.github/workflows/stale_community_prs.yml index 2102b191ce91..54b4ca5c1485 100644 --- a/.github/workflows/stale_community_prs.yml +++ b/.github/workflows/stale_community_prs.yml @@ -1,6 +1,9 @@ name: 'Check stale community PRs.' on: workflow_dispatch +permissions: + pull-requests: write + jobs: stale-implementation-stage: runs-on: ubuntu-latest From d1442a376334b07b5bd691b8b529b66a9f5208a0 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:19:58 -0400 Subject: [PATCH 8/9] ci: scope down permissions for run-dep-tests.yml --- .github/workflows/run-dep-tests.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/run-dep-tests.yml b/.github/workflows/run-dep-tests.yml index 99f83be76444..257ad5f6618c 100644 --- a/.github/workflows/run-dep-tests.yml +++ b/.github/workflows/run-dep-tests.yml @@ -5,6 +5,9 @@ on: pull_request: branches-ignore: [ master ] +permissions: + contents: read + jobs: build: From 4037c4a7ff409eddfd1f42dc888c39a8855676a5 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:20:00 -0400 Subject: [PATCH 9/9] ci: scope down permissions for doc-pr-cherry-pick.yml --- .github/workflows/doc-pr-cherry-pick.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/doc-pr-cherry-pick.yml b/.github/workflows/doc-pr-cherry-pick.yml index b9ddf589dd91..f8c34f33606e 100644 --- a/.github/workflows/doc-pr-cherry-pick.yml +++ b/.github/workflows/doc-pr-cherry-pick.yml @@ -8,6 +8,10 @@ on: type: string required: true +permissions: + contents: write + pull-requests: write + jobs: cherry_pick_and_create_pr: runs-on: ubuntu-latest