From 17d738836a8b6b04bae7e7a45b2166150ac00237 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Mon, 2 Mar 2026 16:03:55 -0800
Subject: [PATCH] Add least-privilege permissions to triage workflow

Add explicit permissions: block (pull-requests: write, issues: write) to
constrain GITHUB_TOKEN scope on pull_request_target trigger.

Ref: https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/triage.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
index c16aacd..66c3331 100644
--- a/.github/workflows/triage.yml
+++ b/.github/workflows/triage.yml
@@ -8,6 +8,10 @@ on:
     types:
       - opened
 
+permissions:
+  pull-requests: write
+  issues: write
+
 jobs:
 
   label: