From 68155a93885a2a19d2516d5c9b44f855d6f6dc62 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:21:08 -0400 Subject: [PATCH 1/3] ci: scope down permissions for labeler.yml --- .github/workflows/labeler.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 4dc1274f1..c4ca2a2aa 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -7,6 +7,9 @@ on: paths: - .github/config/labels.yml +permissions: + issues: write + jobs: modify-labels: runs-on: ubuntu-latest From 6669049eed036c4d51ac6e214d83d90cbaf1c390 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:21:10 -0400 Subject: [PATCH 2/3] ci: scope down permissions for ci.yml --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d5c6e2e4b..7871fd06a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,9 @@ on: pull_request: branches: [ mainline, 'feature*' ] +permissions: + contents: read + jobs: build: From 45bc51ebcd7d7e49b0925961f0718c98947221ae Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:21:12 -0400 Subject: [PATCH 3/3] ci: scope down permissions for auto-approve.yml --- .github/workflows/auto-approve.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index d5744c8ed..92af8e8c2 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -5,6 +5,9 @@ name: Auto Approve Dependabot PR's on: pull_request_target +permissions: + pull-requests: write + jobs: auto-approve: runs-on: ubuntu-latest