From eeb7bbbbed2636a6fc95e464b95638e858ee865e Mon Sep 17 00:00:00 2001
From: Claas Augner <caugner@mozilla.com>
Date: Thu, 16 Oct 2025 14:25:32 +0200
Subject: [PATCH 1/2] ci(workflows): assign explicit permissions

---
 .github/workflows/idle-issues.yml        | 6 ++++++
 .github/workflows/lock-closed.yml        | 4 ++++
 .github/workflows/new-issues.yml         | 4 ++++
 .github/workflows/pr-merge-conflicts.yml | 4 ++++
 4 files changed, 18 insertions(+)

diff --git a/.github/workflows/idle-issues.yml b/.github/workflows/idle-issues.yml
index 0daf455..77405fa 100644
--- a/.github/workflows/idle-issues.yml
+++ b/.github/workflows/idle-issues.yml
@@ -3,6 +3,12 @@ on:
   schedule:
     - cron: "49 11,23 * * *"
 
+# See: https://github.com/actions/stale#recommended-permissions
+permissions:
+  actions: write
+  issues: write
+  pull-requests: write
+
 jobs:
   idle:
     uses: mdn/workflows/.github/workflows/idle.yml@main
diff --git a/.github/workflows/lock-closed.yml b/.github/workflows/lock-closed.yml
index 33c6a52..1b33797 100644
--- a/.github/workflows/lock-closed.yml
+++ b/.github/workflows/lock-closed.yml
@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: "0 9 1 * *"
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   lock:
     uses: mdn/workflows/.github/workflows/lock-closed.yml@main
diff --git a/.github/workflows/new-issues.yml b/.github/workflows/new-issues.yml
index 373f82c..888ff92 100644
--- a/.github/workflows/new-issues.yml
+++ b/.github/workflows/new-issues.yml
@@ -6,6 +6,10 @@ on:
       - reopened
       - opened
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   label-new-issues:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-merge-conflicts.yml b/.github/workflows/pr-merge-conflicts.yml
index f94b9fe..7e67b7a 100644
--- a/.github/workflows/pr-merge-conflicts.yml
+++ b/.github/workflows/pr-merge-conflicts.yml
@@ -5,6 +5,10 @@ on:
   pull_request_target:
     types: [synchronize]
 
+permissions:
+  # Label pull requests.
+  pull-requests: write
+
 jobs:
   label-merge-conflicts:
     uses: mdn/workflows/.github/workflows/pr-rebase-needed.yml@main

From 92e78faaa2f6a4c7afcb465ea3688b2ebb17bd2e Mon Sep 17 00:00:00 2001
From: Claas Augner <495429+caugner@users.noreply.github.com>
Date: Thu, 16 Oct 2025 18:06:33 +0200
Subject: [PATCH 2/2] ci(idle-issues): remove permissions

We will remove this workflow.
---
 .github/workflows/idle-issues.yml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/.github/workflows/idle-issues.yml b/.github/workflows/idle-issues.yml
index 77405fa..0daf455 100644
--- a/.github/workflows/idle-issues.yml
+++ b/.github/workflows/idle-issues.yml
@@ -3,12 +3,6 @@ on:
   schedule:
     - cron: "49 11,23 * * *"
 
-# See: https://github.com/actions/stale#recommended-permissions
-permissions:
-  actions: write
-  issues: write
-  pull-requests: write
-
 jobs:
   idle:
     uses: mdn/workflows/.github/workflows/idle.yml@main