From 224ad58c662c1adfcc9843b9c986b43e471f5a6a Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Fri, 26 Jun 2026 12:55:13 -0700 Subject: [PATCH] Reduce PR dashboard workflow token permissions --- .github/workflows/pull-request-dashboard-repo.yml | 8 -------- .github/workflows/pull-request-dashboard.yml | 4 ---- 2 files changed, 12 deletions(-) diff --git a/.github/workflows/pull-request-dashboard-repo.yml b/.github/workflows/pull-request-dashboard-repo.yml index e34bbfbb..91e4c7ca 100644 --- a/.github/workflows/pull-request-dashboard-repo.yml +++ b/.github/workflows/pull-request-dashboard-repo.yml @@ -64,8 +64,6 @@ jobs: cancel-in-progress: false permissions: contents: read - issues: write - pull-requests: read # The protected environment provides environment-level vars such as # PR_DASHBOARD_CLIENT_ID. The GitHub docs suggest environment secrets should # also be available to called reusable workflow jobs, but testing showed @@ -131,11 +129,7 @@ jobs: group: ${{ github.workflow }}-state-${{ inputs.repository }}-${{ inputs.pr_number || 'full' }} cancel-in-progress: false permissions: - actions: read - checks: read contents: write - issues: read - pull-requests: read environment: protected runs-on: ubuntu-latest steps: @@ -217,7 +211,6 @@ jobs: cancel-in-progress: false permissions: contents: write - pull-requests: read environment: protected runs-on: ubuntu-latest steps: @@ -260,7 +253,6 @@ jobs: cancel-in-progress: false permissions: contents: read - issues: write environment: protected runs-on: ubuntu-latest steps: diff --git a/.github/workflows/pull-request-dashboard.yml b/.github/workflows/pull-request-dashboard.yml index b044a183..49163ebf 100644 --- a/.github/workflows/pull-request-dashboard.yml +++ b/.github/workflows/pull-request-dashboard.yml @@ -161,11 +161,7 @@ jobs: needs: resolve-targets if: needs.resolve-targets.outputs.dashboard_precondition_met == 'true' permissions: - actions: read - checks: read contents: write - issues: write - pull-requests: read strategy: fail-fast: false max-parallel: 2