From 0a68e9cfcd729c1752029ea6c73591d3e39a8f3a Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Thu, 11 Dec 2025 18:22:01 -0500
Subject: [PATCH 1/4] ci: scope down permissions for auto_assign.yml

---
 .github/workflows/auto_assign.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/auto_assign.yml b/.github/workflows/auto_assign.yml
index 093e194..9167b24 100644
--- a/.github/workflows/auto_assign.yml
+++ b/.github/workflows/auto_assign.yml
@@ -3,6 +3,9 @@ on:
   pull_request:
     types: [opened, ready_for_review]
 
+permissions:
+  pull-requests: write
+
 jobs:
   add-reviews:
     runs-on: ubuntu-latest

From e5b50e48d571308fc0ebb8037263c5a75049c5d8 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Thu, 11 Dec 2025 18:22:03 -0500
Subject: [PATCH 2/4] ci: scope down permissions for label_pr_on_title.yml

---
 .github/workflows/label_pr_on_title.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
index e6ce47d..671795b 100644
--- a/.github/workflows/label_pr_on_title.yml
+++ b/.github/workflows/label_pr_on_title.yml
@@ -6,6 +6,9 @@ on:
     types:
       - completed
 
+permissions:
+  pull-requests: write
+
 jobs:
   get_pr_details:
     # Guardrails to only ever run if PR recording workflow was indeed

From 6ea4e93585de8b69e9cd8d7f99038ac3e62fa353 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Thu, 11 Dec 2025 18:22:05 -0500
Subject: [PATCH 3/4] ci: scope down permissions for on_merged_pr.yml

---
 .github/workflows/on_merged_pr.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/on_merged_pr.yml b/.github/workflows/on_merged_pr.yml
index 2bce046..6da5d04 100644
--- a/.github/workflows/on_merged_pr.yml
+++ b/.github/workflows/on_merged_pr.yml
@@ -6,6 +6,9 @@ on:
     types:
       - completed
 
+permissions:
+  issues: write
+
 jobs:
   get_pr_details:
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'

From ac198784f8425cc3e6933872ebd3653ae5d6092a Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Thu, 11 Dec 2025 18:22:07 -0500
Subject: [PATCH 4/4] ci: scope down permissions for on_opened_pr.yml

---
 .github/workflows/on_opened_pr.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml
index 9712a3f..0bb285c 100644
--- a/.github/workflows/on_opened_pr.yml
+++ b/.github/workflows/on_opened_pr.yml
@@ -6,6 +6,9 @@ on:
     types:
       - completed
 
+permissions:
+  pull-requests: write
+
 jobs:
   get_pr_details:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}