ci: scope down GitHub Token permissions (#1753)

AdnaneKhan · web-flow · commit 9f9834a461bf · 2025-12-18T20:14:04.000-05:00
* ci: scope down permissions for git-sync.yml

* ci: scope down permissions for update-smithy-gradle-plugin.yml

* ci: scope down permissions for ci.yml
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/git-sync.yml b/.github/workflows/git-sync.yml
@@ -5,6 +5,9 @@ on:
     branches: [main]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   git-sync:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-smithy-gradle-plugin.yml b/.github/workflows/update-smithy-gradle-plugin.yml
@@ -6,6 +6,10 @@ on:
     # Runs every wednesday at 11
     - cron:  '0 11 * * WED'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   get-version:
     runs-on: ubuntu-latest
