ci: scope down GitHub Token permissions (#3217)

AdnaneKhan · web-flow · commit 4718b0d9f829 · 2025-10-21T13:13:37.000-04:00
diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml
@@ -2,6 +2,10 @@ name: Closed Issue Message
 on:
     issues:
        types: [closed]
+
+permissions:
+  issues: write
+
 jobs:
     auto_comment:
         runs-on: ubuntu-latest
diff --git a/.github/workflows/codegen.yml b/.github/workflows/codegen.yml
@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [ main ]
 
+
+permissions:
+  contents: read
+
 env:
   # get owner of the repository. used by forks.
   SMITHY_GO_REPOSITORY: ${{ github.event.pull_request.head.repo.owner.login }}/smithy-go
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -9,6 +9,10 @@ on:
       - main
       - 'feat-**'
 
+
+permissions:
+  contents: read
+
 env:
   EACHMODULE_CONCURRENCY: 2
   SMITHY_GO_REPOSITORY: ${{ github.event.pull_request.head.repo.owner.login }}/smithy-go
diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml
@@ -2,6 +2,10 @@ name: License Scan
 
 on: [pull_request]
 
+
+permissions:
+  contents: read
+
 jobs:
   licensescan:
     name: License Scan
diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml
@@ -9,6 +9,10 @@ on:
       - main
       - 'feat-**'
 
+
+permissions:
+  contents: read
+
 env:
   EACHMODULE_CONCURRENCY: 2
   SMITHY_GO_REPOSITORY: ${{ github.event.pull_request.head.repo.owner.login }}/smithy-go
diff --git a/.github/workflows/stale_issue.yml b/.github/workflows/stale_issue.yml
@@ -5,6 +5,11 @@ on:
   schedule:
   - cron: "0 0 * * *"
 
+
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
