From d47af537c2cbe0b2a45fcb8a3956e432f6060da4 Mon Sep 17 00:00:00 2001
From: Misha Kav <misha.kav@gmail.com>
Date: Mon, 20 Apr 2026 13:38:41 +0300
Subject: [PATCH] chore: harden GITHUB_TOKEN permissions on internal workflows

Scope the workflow runner token to least privilege:
- bump-gitstream-core.yml: permissions: {} (uses PAT, not GITHUB_TOKEN)
- create-tag-on-merge.yml: contents: write + pull-requests: read

Follows https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
---
 .github/workflows/bump-gitstream-core.yml | 2 ++
 .github/workflows/create-tag-on-merge.yml | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/bump-gitstream-core.yml b/.github/workflows/bump-gitstream-core.yml
index 22bd09b8..b77346cb 100644
--- a/.github/workflows/bump-gitstream-core.yml
+++ b/.github/workflows/bump-gitstream-core.yml
@@ -25,6 +25,8 @@ on:
         description: GitHub username to assign as reviewer
         required: false
 
+permissions: {}
+
 jobs:
   publish_pr:
     name: Publish PR
diff --git a/.github/workflows/create-tag-on-merge.yml b/.github/workflows/create-tag-on-merge.yml
index 2c91e406..683efb8f 100644
--- a/.github/workflows/create-tag-on-merge.yml
+++ b/.github/workflows/create-tag-on-merge.yml
@@ -15,6 +15,10 @@ on:
 env:
   SLACK_WEBHOOK: ${{ secrets.SLACK_WORKFLOWS_DEPLOYMENT_WEBHOOK }}
 
+permissions:
+  contents: write
+  pull-requests: read
+
 jobs:
   create-tag:
     runs-on: ubuntu-24.04