From a5f4ed15441eb556e48f669b27bed1c4f7736640 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:43:36 -0400 Subject: [PATCH 1/6] ci: scope down permissions for clang-format.yml --- .github/workflows/clang-format.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/clang-format.yml b/.github/workflows/clang-format.yml index 55f9ec49fa7..cc813e252ef 100644 --- a/.github/workflows/clang-format.yml +++ b/.github/workflows/clang-format.yml @@ -7,6 +7,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: format-check: runs-on: ubuntu-latest From 3c0e17b681a231f7c516b7f678db2ae098b1fb58 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:43:38 -0400 Subject: [PATCH 2/6] ci: scope down permissions for license-scheduled-check.yml --- .github/workflows/license-scheduled-check.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/license-scheduled-check.yml b/.github/workflows/license-scheduled-check.yml index b68eb54aec7..c44049a1498 100644 --- a/.github/workflows/license-scheduled-check.yml +++ b/.github/workflows/license-scheduled-check.yml @@ -4,6 +4,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: build: From 9baebe6f2279301697ce5753bed93742e12e373b Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:43:40 -0400 Subject: [PATCH 3/6] ci: scope down permissions for closed-issue-message.yml --- .github/workflows/closed-issue-message.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml index 2881a667a89..cae2d6b538a 100644 --- a/.github/workflows/closed-issue-message.yml +++ b/.github/workflows/closed-issue-message.yml @@ -2,6 +2,9 @@ name: Closed Issue Message on: issues: types: [closed] +permissions: + issues: write + jobs: auto_comment: runs-on: ubuntu-latest From 176a56fe7404fe2581f2723f2e127adbd39b838c Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:43:42 -0400 Subject: [PATCH 4/6] ci: scope down permissions for license-check.yml --- .github/workflows/license-check.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml index f91f8c66632..5edc44ebfde 100644 --- a/.github/workflows/license-check.yml +++ b/.github/workflows/license-check.yml @@ -2,6 +2,9 @@ name: License Scan on: [pull_request] +permissions: + contents: read + jobs: build: From 8c9ead27c67ae759e056be0d5b6a774e67a73c51 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:43:44 -0400 Subject: [PATCH 5/6] ci: scope down permissions for cspell.yml --- .github/workflows/cspell.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/cspell.yml b/.github/workflows/cspell.yml index b0bc75bdbe9..1a4c257edb7 100644 --- a/.github/workflows/cspell.yml +++ b/.github/workflows/cspell.yml @@ -2,6 +2,9 @@ name: cspell on: [push] +permissions: + contents: read + jobs: cspell: name: cspell From d109da692c4d1e7531a6d09cbac87c25939d711d Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:43:46 -0400 Subject: [PATCH 6/6] ci: scope down permissions for stale_issue.yml --- .github/workflows/stale_issue.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/stale_issue.yml b/.github/workflows/stale_issue.yml index 4aff44e8e03..a20088a5ff5 100644 --- a/.github/workflows/stale_issue.yml +++ b/.github/workflows/stale_issue.yml @@ -5,6 +5,10 @@ on: schedule: - cron: "0 0 * * *" +permissions: + issues: write + pull-requests: write + jobs: cleanup: runs-on: ubuntu-latest