From 38adf331b2e6f5f4c2ebdcf06b7d3e3692c4182f Mon Sep 17 00:00:00 2001
From: charlie4284 <yangsoo.yoon@canonical.com>
Date: Wed, 15 Apr 2026 10:27:51 +0800
Subject: [PATCH 1/2] ci: define explicit workflow permissions

---
 .github/workflows/close-bugs-bot.yml       | 4 ++++
 .github/workflows/close-features-bot.yml   | 4 ++++
 .github/workflows/dotnet-upgrade.yml       | 4 ++++
 .github/workflows/patch_update_main.yml    | 4 ++++
 .github/workflows/patch_update_release.yml | 4 ++++
 .github/workflows/release.yml              | 3 +++
 .github/workflows/stale-bot.yml            | 4 ++++
 7 files changed, 27 insertions(+)

diff --git a/.github/workflows/close-bugs-bot.yml b/.github/workflows/close-bugs-bot.yml
index 6a5a2feb06a..fd4db08d567 100644
--- a/.github/workflows/close-bugs-bot.yml
+++ b/.github/workflows/close-bugs-bot.yml
@@ -3,6 +3,10 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 0 * * *' # every day at midnight
+
+permissions:
+  issues: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/close-features-bot.yml b/.github/workflows/close-features-bot.yml
index 6207aab555b..575785352ef 100644
--- a/.github/workflows/close-features-bot.yml
+++ b/.github/workflows/close-features-bot.yml
@@ -3,6 +3,10 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 0 * * *' # every day at midnight
+
+permissions:
+  issues: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/dotnet-upgrade.yml b/.github/workflows/dotnet-upgrade.yml
index 12dc8be0246..85aaeee9ce8 100644
--- a/.github/workflows/dotnet-upgrade.yml
+++ b/.github/workflows/dotnet-upgrade.yml
@@ -5,6 +5,10 @@ on:
     - cron: '0 0 * * 1'
   workflow_dispatch:
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   dotnet-update:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/patch_update_main.yml b/.github/workflows/patch_update_main.yml
index f7d2b29f1d9..292a4dfe136 100644
--- a/.github/workflows/patch_update_main.yml
+++ b/.github/workflows/patch_update_main.yml
@@ -9,6 +9,10 @@ on:
       - 'patches/runner-main-sdk8-*.patch'
       - 'patches/last_processed_commit.txt'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   update-patches:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/patch_update_release.yml b/.github/workflows/patch_update_release.yml
index a4b1ec899d9..8d522a7aa2a 100644
--- a/.github/workflows/patch_update_release.yml
+++ b/.github/workflows/patch_update_release.yml
@@ -9,6 +9,10 @@ on:
       - "patches/runner-sdk8-*.patch"
       - "patches/last_processed_tag.txt"
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   update-patches:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ae731316831..7831b72f96a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,6 +8,9 @@ on:
     paths:
     - releaseVersion
 
+permissions:
+  contents: write
+
 jobs:
   check:
     if: startsWith(github.ref, 'refs/heads/releases/') || github.ref == 'refs/heads/main'
diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml
index d0d7e115a27..5b6c515d75c 100644
--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@@ -3,6 +3,10 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 0 * * 1' # every monday at midnight
+
+permissions:
+  issues: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest

From 56aba6ac3af388d168cb48a08a36a299123597e3 Mon Sep 17 00:00:00 2001
From: charlie4284 <yangsoo.yoon@canonical.com>
Date: Wed, 15 Apr 2026 10:30:33 +0800
Subject: [PATCH 2/2] chore: add permission comments

---
 .github/workflows/close-bugs-bot.yml       | 2 +-
 .github/workflows/close-features-bot.yml   | 2 +-
 .github/workflows/dotnet-upgrade.yml       | 4 ++--
 .github/workflows/patch_update_main.yml    | 4 ++--
 .github/workflows/patch_update_release.yml | 4 ++--
 .github/workflows/release.yml              | 2 +-
 .github/workflows/stale-bot.yml            | 2 +-
 7 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/close-bugs-bot.yml b/.github/workflows/close-bugs-bot.yml
index fd4db08d567..0fb89be9990 100644
--- a/.github/workflows/close-bugs-bot.yml
+++ b/.github/workflows/close-bugs-bot.yml
@@ -5,7 +5,7 @@ on:
     - cron: '0 0 * * *' # every day at midnight
 
 permissions:
-  issues: write
+  issues: write # Required to label and close stale bug issues via actions/stale
 
 jobs:
   stale:
diff --git a/.github/workflows/close-features-bot.yml b/.github/workflows/close-features-bot.yml
index 575785352ef..37183d40846 100644
--- a/.github/workflows/close-features-bot.yml
+++ b/.github/workflows/close-features-bot.yml
@@ -5,7 +5,7 @@ on:
     - cron: '0 0 * * *' # every day at midnight
 
 permissions:
-  issues: write
+  issues: write # Required to label and close feature request issues via actions/stale
 
 jobs:
   stale:
diff --git a/.github/workflows/dotnet-upgrade.yml b/.github/workflows/dotnet-upgrade.yml
index 85aaeee9ce8..d5bdf1ec15d 100644
--- a/.github/workflows/dotnet-upgrade.yml
+++ b/.github/workflows/dotnet-upgrade.yml
@@ -6,8 +6,8 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: write # Required to push the SDK version upgrade branch
+  pull-requests: write # Required to create the upgrade pull request via gh cli
 
 jobs:
   dotnet-update:
diff --git a/.github/workflows/patch_update_main.yml b/.github/workflows/patch_update_main.yml
index 292a4dfe136..f2beb19b7c2 100644
--- a/.github/workflows/patch_update_main.yml
+++ b/.github/workflows/patch_update_main.yml
@@ -10,8 +10,8 @@ on:
       - 'patches/last_processed_commit.txt'
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: write # Required to push patch updates and branches
+  pull-requests: write # Required to create pull requests via peter-evans/create-pull-request
 
 jobs:
   update-patches:
diff --git a/.github/workflows/patch_update_release.yml b/.github/workflows/patch_update_release.yml
index 8d522a7aa2a..31e42bde0e9 100644
--- a/.github/workflows/patch_update_release.yml
+++ b/.github/workflows/patch_update_release.yml
@@ -10,8 +10,8 @@ on:
       - "patches/last_processed_tag.txt"
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: write # Required to push patch updates and release branches
+  pull-requests: write # Required to create pull requests via peter-evans/create-pull-request
 
 jobs:
   update-patches:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7831b72f96a..091dd67759e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ on:
     - releaseVersion
 
 permissions:
-  contents: write
+  contents: write # Required to create GitHub releases and upload release assets
 
 jobs:
   check:
diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml
index 5b6c515d75c..1c5d227c5df 100644
--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@@ -5,7 +5,7 @@ on:
     - cron: '0 0 * * 1' # every monday at midnight
 
 permissions:
-  issues: write
+  issues: write # Required to label and close stale issues via actions/stale
 
 jobs:
   stale: