From d1abda45b3f5d71c2807e3936ec78d4e80649b0f Mon Sep 17 00:00:00 2001
From: Ian Botsford <83236726+ianbotsf@users.noreply.github.com>
Date: Mon, 22 Sep 2025 17:55:48 +0000
Subject: [PATCH] chore: add missing permissions for GitHub workflows

---
 .github/workflows/api-compat-verification.yml  | 2 ++
 .github/workflows/continuous-integration.yml   | 2 ++
 .github/workflows/issue-regression-labeler.yml | 1 +
 .github/workflows/jreleaser.yml                | 2 +-
 .github/workflows/lint.yml                     | 2 ++
 .github/workflows/merge-main.yml               | 2 +-
 .github/workflows/minor-version-bump.yml       | 2 +-
 .github/workflows/release-readiness.yml        | 2 ++
 .github/workflows/stale_issue.yaml             | 2 ++
 .github/workflows/sync-mirror.yml              | 2 ++
 10 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/api-compat-verification.yml b/.github/workflows/api-compat-verification.yml
index 2d4a22452a..5d7de9de0c 100644
--- a/.github/workflows/api-compat-verification.yml
+++ b/.github/workflows/api-compat-verification.yml
@@ -7,6 +7,8 @@ on:
       - main
       - '*-main'
 
+permissions: { }
+
 jobs:
   api-compat-verification:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index a72ae44016..2a7c0cf3a2 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -8,6 +8,8 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions: { }
+
 # Allow one instance of this workflow per pull request, and cancel older runs when new changes are pushed
 concurrency:
   group: ci-pr-${{ github.ref }}
diff --git a/.github/workflows/issue-regression-labeler.yml b/.github/workflows/issue-regression-labeler.yml
index adecdbc628..97b857d60e 100644
--- a/.github/workflows/issue-regression-labeler.yml
+++ b/.github/workflows/issue-regression-labeler.yml
@@ -3,6 +3,7 @@ name: issue-regression-label
 on:
   issues:
     types: [opened, edited]
+permissions: { }
 jobs:
   add-regression-label:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/jreleaser.yml b/.github/workflows/jreleaser.yml
index 391e452d5d..93c5d7df6c 100644
--- a/.github/workflows/jreleaser.yml
+++ b/.github/workflows/jreleaser.yml
@@ -3,7 +3,7 @@
 name: JReleaser check
 on:
   pull_request:
-
+permissions: { }
 jobs:
   jreleaser-check:
     permissions: {}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index c8c67eb7f7..66035c5757 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -12,6 +12,8 @@ on:
       - '*-main'
   workflow_dispatch:
 
+permissions: { }
+
 env:
   PACKAGE_NAME: smithy-kotlin
 
diff --git a/.github/workflows/merge-main.yml b/.github/workflows/merge-main.yml
index b6316a2f38..7df49eda9a 100644
--- a/.github/workflows/merge-main.yml
+++ b/.github/workflows/merge-main.yml
@@ -3,7 +3,7 @@ on:
   push:
     branches: [ main ]
   workflow_dispatch:
-
+permissions: { }
 jobs:
   merge:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/minor-version-bump.yml b/.github/workflows/minor-version-bump.yml
index ef10fe70d9..f7a36f8153 100644
--- a/.github/workflows/minor-version-bump.yml
+++ b/.github/workflows/minor-version-bump.yml
@@ -1,7 +1,7 @@
 name: Minor version bump check
 on:
   pull_request:
-
+permissions: { }
 jobs:
   minor-version-bump-check:
     permissions: {}
diff --git a/.github/workflows/release-readiness.yml b/.github/workflows/release-readiness.yml
index 26a880217f..baa20268a2 100644
--- a/.github/workflows/release-readiness.yml
+++ b/.github/workflows/release-readiness.yml
@@ -7,6 +7,8 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions: { }
+
 jobs:
   release-readiness:
     if: ${{ !contains(github.event.pull_request.labels.*.name, 'ready-for-release') }}
diff --git a/.github/workflows/stale_issue.yaml b/.github/workflows/stale_issue.yaml
index c6f1cb933f..ad5b31742f 100644
--- a/.github/workflows/stale_issue.yaml
+++ b/.github/workflows/stale_issue.yaml
@@ -5,6 +5,8 @@ on:
   schedule:
   - cron: "0 0/3 * * *"
 
+permissions: { }
+
 jobs:
   cleanup:
     name: Stale issue job
diff --git a/.github/workflows/sync-mirror.yml b/.github/workflows/sync-mirror.yml
index edc80ce30c..7643881e56 100644
--- a/.github/workflows/sync-mirror.yml
+++ b/.github/workflows/sync-mirror.yml
@@ -5,6 +5,8 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
+permissions: { }
+
 jobs:
   git-sync:
     # Only sync when pushing to source repo