From 3075bbe73fefa90ae8f3d6f54edd64ac3ad021cf Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:35:58 -0400 Subject: [PATCH 1/3] ci: scope down permissions for stale_issues.yml --- .github/workflows/stale_issues.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/stale_issues.yml b/.github/workflows/stale_issues.yml index e50f18d55b..ccced9dde0 100644 --- a/.github/workflows/stale_issues.yml +++ b/.github/workflows/stale_issues.yml @@ -5,6 +5,10 @@ on: schedule: - cron: "0 0 * * *" +permissions: + issues: write + pull-requests: write + jobs: cleanup: runs-on: ubuntu-latest From 0a62628af8146c4421b13d028d849477599b2b1d Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:36:00 -0400 Subject: [PATCH 2/3] ci: scope down permissions for git-sync.yml --- .github/workflows/git-sync.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/git-sync.yml b/.github/workflows/git-sync.yml index 493f9b349e..a125e4e0a3 100644 --- a/.github/workflows/git-sync.yml +++ b/.github/workflows/git-sync.yml @@ -5,6 +5,9 @@ on: branches: [ master ] workflow_dispatch: +permissions: + contents: write + jobs: git-sync: runs-on: ubuntu-latest From b205d928e8bcc167b8db83883d44bac4f07bffbc Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:40:00 -0400 Subject: [PATCH 3/3] Use read-only permissions since SSH key is used for auth. --- .github/workflows/git-sync.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/git-sync.yml b/.github/workflows/git-sync.yml index a125e4e0a3..63510b629e 100644 --- a/.github/workflows/git-sync.yml +++ b/.github/workflows/git-sync.yml @@ -5,8 +5,7 @@ on: branches: [ master ] workflow_dispatch: -permissions: - contents: write +permissions: {} jobs: git-sync: