From c6dba450e78e83e268483f2bdd6107bcce550863 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:07:13 -0400 Subject: [PATCH 1/5] ci: scope down permissions for lint-commit.yml --- .github/workflows/lint-commit.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/lint-commit.yml b/.github/workflows/lint-commit.yml index 343dfd76a..b81cd506a 100644 --- a/.github/workflows/lint-commit.yml +++ b/.github/workflows/lint-commit.yml @@ -3,6 +3,9 @@ name: "Lint PR title and commit message" on: pull_request: +permissions: + contents: read + jobs: main: name: Validate PR title From f3869f283122e1ce61344958468cddb6e81f0127 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:07:15 -0400 Subject: [PATCH 2/5] ci: scope down permissions for autorebase.yml --- .github/workflows/autorebase.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/autorebase.yml b/.github/workflows/autorebase.yml index ba60c0d0d..1a58c441d 100644 --- a/.github/workflows/autorebase.yml +++ b/.github/workflows/autorebase.yml @@ -9,6 +9,10 @@ on: pull_request: types: [labeled] +permissions: + contents: write + pull-requests: write + jobs: auto-rebase: name: AutoRebase From 4c21454225e8fdd65b00ee8639edc4fc51f93529 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:07:17 -0400 Subject: [PATCH 3/5] ci: scope down permissions for validate.yml --- .github/workflows/validate.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 24d082f13..9d5222b07 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -7,6 +7,9 @@ on: - main env: PW_TEST_HTML_REPORT_OPEN: 'never' +permissions: + contents: read + jobs: repo: runs-on: ubuntu-latest From a7b0690ae99eedd97805db155e5c13fef6dc0235 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:07:19 -0400 Subject: [PATCH 4/5] ci: scope down permissions for release-please.yml --- .github/workflows/release-please.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 125f2c3f0..8efcd99eb 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -3,6 +3,10 @@ on: branches: - main name: Create release PR +permissions: + contents: write + pull-requests: write + jobs: release-please: runs-on: ubuntu-latest From c22ceb365561e32898c2dd16e3c45f343a09076f Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:07:21 -0400 Subject: [PATCH 5/5] ci: scope down permissions for ui-test-reliability.yml --- .github/workflows/ui-test-reliability.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ui-test-reliability.yml b/.github/workflows/ui-test-reliability.yml index 3cd369f1f..b4ac20850 100644 --- a/.github/workflows/ui-test-reliability.yml +++ b/.github/workflows/ui-test-reliability.yml @@ -10,6 +10,9 @@ on: env: PW_TEST_HTML_REPORT_OPEN: 'never' +permissions: + contents: read + jobs: test-reliability: if: ${{ github.event.label.name == 'test:reliability' }}