ci: scope down GitHub Token permissions (#176)

AdnaneKhan · web-flow · commit 959024b9efac · 2026-02-19T21:46:20.000+08:00
* ci: scope down permissions for auto_assign.yml

* ci: scope down permissions for label_pr_on_title.yml

* ci: scope down permissions for on_merged_pr.yml

* ci: scope down permissions for on_opened_pr.yml
diff --git a/.github/workflows/auto_assign.yml b/.github/workflows/auto_assign.yml
@@ -3,6 +3,9 @@ on:
   pull_request:
     types: [opened, ready_for_review]
 
+permissions:
+  pull-requests: write
+
 jobs:
   add-reviews:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
@@ -6,6 +6,9 @@ on:
     types:
       - completed
 
+permissions:
+  pull-requests: write
+
 jobs:
   get_pr_details:
     # Guardrails to only ever run if PR recording workflow was indeed
diff --git a/.github/workflows/on_merged_pr.yml b/.github/workflows/on_merged_pr.yml
@@ -6,6 +6,9 @@ on:
     types:
       - completed
 
+permissions:
+  issues: write
+
 jobs:
   get_pr_details:
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml
@@ -6,6 +6,9 @@ on:
     types:
       - completed
 
+permissions:
+  pull-requests: write
+
 jobs:
   get_pr_details:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
