From 090d390e30d5ef30b891233b93b2501df9276d90 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Thu, 14 May 2026 10:11:47 +0900 Subject: [PATCH] ci: declare contents:read on sync-openapi workflow The sync-openapi job uses FERN_OPENAPI_SYNC_TOKEN (a custom PAT) for both the checkout and the fern-api/sync-openapi action's pull-request creation. The implicit GITHUB_TOKEN doesn't drive any write here, so the job-level scope can be pinned to contents:read. Matches the per-job permissions style used in ci.yaml, docs.yml, and the fern-docs workflows. promotion.yaml and release.yaml are deliberately left out: each is a multi-stage workflow with release-approval, environment gating, and image promotion that warrants a more careful per-job scope analysis. Signed-off-by: Arpit Jain --- .github/workflows/sync-openapi.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/sync-openapi.yml b/.github/workflows/sync-openapi.yml index 54a86804c0..9adf4a22e0 100644 --- a/.github/workflows/sync-openapi.yml +++ b/.github/workflows/sync-openapi.yml @@ -9,6 +9,8 @@ on: # additional custom triggers can be configured jobs: update-from-source: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v4 with: