From 9e82dded6448e285536ebf41da8ac5cfd101c644 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:45:51 -0400 Subject: [PATCH 1/3] ci: scope down permissions for stale-bot.yml --- .github/workflows/stale-bot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml index 420bea27..4bc35f82 100644 --- a/.github/workflows/stale-bot.yml +++ b/.github/workflows/stale-bot.yml @@ -17,6 +17,10 @@ on: - cron: '0 20 * * SUN' # every Sunday at 20 am UTC: PST 0:00 AM " +permissions: + issues: write + pull-requests: write + jobs: stale-close: runs-on: ubuntu-latest From 4ac11a58d336d447b796d74803dfe9a30a6e2232 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:45:53 -0400 Subject: [PATCH 2/3] ci: scope down permissions for codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a82aeb03..6b29e991 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -5,6 +5,9 @@ on: push: branches: [ main ] +permissions: + contents: read + jobs: analyze: name: Analyze From c91ddcc5a915cd17e9e6395d67775013abca1261 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:45:55 -0400 Subject: [PATCH 3/3] ci: scope down permissions for pr-build-modules.yml --- .github/workflows/pr-build-modules.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pr-build-modules.yml b/.github/workflows/pr-build-modules.yml index 5dc83640..34ab47ee 100644 --- a/.github/workflows/pr-build-modules.yml +++ b/.github/workflows/pr-build-modules.yml @@ -12,6 +12,9 @@ env: GO_VERSION: stable GOLANGCI_LINT_VERSION: v1.64 +permissions: + contents: read + jobs: detect-modules-to-lint-and-test: runs-on: ubuntu-latest