From e7ef062a05ae2901fe96e1e92d49dae27c61375b Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Mon, 20 Oct 2025 22:49:51 -0400 Subject: [PATCH 1/7] Scope down GitHub token permissions for auto_assign.yml --- .github/workflows/auto_assign.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/auto_assign.yml b/.github/workflows/auto_assign.yml index 093e194..898c286 100644 --- a/.github/workflows/auto_assign.yml +++ b/.github/workflows/auto_assign.yml @@ -3,6 +3,10 @@ on: pull_request: types: [opened, ready_for_review] + +permissions: + pull-requests: write + jobs: add-reviews: runs-on: ubuntu-latest From 7fec30ee6efb3eb3613f30a0be9fa6921a32c099 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Mon, 20 Oct 2025 22:49:57 -0400 Subject: [PATCH 2/7] Scope down GitHub token permissions for record_pr.yml --- .github/workflows/record_pr.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/record_pr.yml b/.github/workflows/record_pr.yml index 7ef50e4..5e446e9 100644 --- a/.github/workflows/record_pr.yml +++ b/.github/workflows/record_pr.yml @@ -4,6 +4,10 @@ on: pull_request: types: [opened, edited, closed] + +permissions: + contents: read + jobs: record_pr: runs-on: ubuntu-latest From a8e96dad8ef252cd2a4d718f5ce81f649581ff3a Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Mon, 20 Oct 2025 22:50:04 -0400 Subject: [PATCH 3/7] Scope down GitHub token permissions for reusable_export_pr_details.yml --- .github/workflows/reusable_export_pr_details.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml index dfe1326..c1a3b77 100644 --- a/.github/workflows/reusable_export_pr_details.yml +++ b/.github/workflows/reusable_export_pr_details.yml @@ -36,6 +36,10 @@ on: description: "Whether PR is merged" value: ${{ jobs.export_pr_details.outputs.prIsMerged }} + +permissions: + contents: read + jobs: export_pr_details: From 4989af4028129a65ba583ec24b15c09a036e52b2 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Mon, 20 Oct 2025 22:50:09 -0400 Subject: [PATCH 4/7] Scope down GitHub token permissions for on_opened_pr.yml --- .github/workflows/on_opened_pr.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index 9712a3f..b93984a 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -6,6 +6,11 @@ on: types: - completed + +permissions: + contents: read + pull-requests: write + jobs: get_pr_details: if: ${{ github.event.workflow_run.conclusion == 'success' }} From 99737db29280e4f57dee936097849c03a833b42d Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Mon, 20 Oct 2025 22:50:14 -0400 Subject: [PATCH 5/7] Scope down GitHub token permissions for label_pr_on_title.yml --- .github/workflows/label_pr_on_title.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml index e6ce47d..f14e732 100644 --- a/.github/workflows/label_pr_on_title.yml +++ b/.github/workflows/label_pr_on_title.yml @@ -6,6 +6,11 @@ on: types: - completed + +permissions: + contents: read + pull-requests: write + jobs: get_pr_details: # Guardrails to only ever run if PR recording workflow was indeed From b614fa4e950c8589728b24a1a8c2a6114ed96081 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Mon, 20 Oct 2025 22:50:19 -0400 Subject: [PATCH 6/7] Scope down GitHub token permissions for on_merged_pr.yml --- .github/workflows/on_merged_pr.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/on_merged_pr.yml b/.github/workflows/on_merged_pr.yml index 2bce046..c51d840 100644 --- a/.github/workflows/on_merged_pr.yml +++ b/.github/workflows/on_merged_pr.yml @@ -6,6 +6,11 @@ on: types: - completed + +permissions: + contents: read + issues: write + jobs: get_pr_details: if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' From 8ec108273a606110b8940d9a334166a0cb4fcc33 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Mon, 20 Oct 2025 22:50:25 -0400 Subject: [PATCH 7/7] Scope down GitHub token permissions for build.yml --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0ab08c5..7b97c93 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,6 +6,10 @@ on: pull_request: branches: [ develop, main ] + +permissions: + contents: read + defaults: run: working-directory: ./