From 246c1a8f882532826720735a1309469353570153 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:28:58 -0400 Subject: [PATCH 1/6] ci: scope down permissions for pull.yml --- .github/workflows/pull.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pull.yml b/.github/workflows/pull.yml index 6d7048a53..962e005eb 100644 --- a/.github/workflows/pull.yml +++ b/.github/workflows/pull.yml @@ -3,6 +3,9 @@ name: Pull Request Workflow on: pull_request: +permissions: + contents: read + jobs: clang-format: uses: ./.github/workflows/clang-format.yml From 6d895804dd324c8b087ef1ebdc82d123300d418e Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:29:00 -0400 Subject: [PATCH 2/6] ci: scope down permissions for issue-notification.yml --- .github/workflows/issue-notification.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/issue-notification.yml b/.github/workflows/issue-notification.yml index 6674b9616..b784580ed 100644 --- a/.github/workflows/issue-notification.yml +++ b/.github/workflows/issue-notification.yml @@ -5,6 +5,9 @@ on: issue_comment: types: [created] +permissions: + contents: read + jobs: notify-issue: if: github.event_name == 'issues' From 453ee6fa2738373b1b3640319ea32f43e7349b3e Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:29:02 -0400 Subject: [PATCH 3/6] ci: scope down permissions for repo-sync.yml --- .github/workflows/repo-sync.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml index e3776d399..cf250b944 100644 --- a/.github/workflows/repo-sync.yml +++ b/.github/workflows/repo-sync.yml @@ -3,6 +3,10 @@ name: Repo Sync on: workflow_dispatch: # allows triggering this manually through the Actions UI +permissions: + contents: write + pull-requests: write + jobs: repo-sync: name: Repo Sync From b189ac80cb3755c072f2c1c0e087b9f9f8d2149d Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:29:03 -0400 Subject: [PATCH 4/6] ci: scope down permissions for clang-format.yml --- .github/workflows/clang-format.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/clang-format.yml b/.github/workflows/clang-format.yml index 7a8900dee..5dd3e3227 100644 --- a/.github/workflows/clang-format.yml +++ b/.github/workflows/clang-format.yml @@ -3,6 +3,9 @@ name: test-clang-format on: workflow_call: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest From 90caadf67dffb62d9a9e53ca67312e8e2c2fada7 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:29:05 -0400 Subject: [PATCH 5/6] ci: scope down permissions for daily_ci.yml --- .github/workflows/daily_ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/daily_ci.yml b/.github/workflows/daily_ci.yml index 6b38f43bb..306edde89 100644 --- a/.github/workflows/daily_ci.yml +++ b/.github/workflows/daily_ci.yml @@ -5,6 +5,9 @@ on: schedule: - cron: "00 15 * * 1-5" +permissions: + contents: read + jobs: codebuild: if: github.event_name != 'schedule' || github.repository_owner == 'aws' From f785731ae4461f7e148c592a283ac12db7454f10 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:29:07 -0400 Subject: [PATCH 6/6] ci: scope down permissions for push.yml --- .github/workflows/push.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 0c83adb71..31ba3e4fb 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -4,6 +4,9 @@ on: push: branches: master +permissions: + contents: read + jobs: clang-format: uses: ./.github/workflows/clang-format.yml