From 656aeab299c79e8c38e3185485858014fc257498 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 18:02:02 -0400 Subject: [PATCH 1/6] ci: scope down permissions for make-docs.yml --- .github/workflows/make-docs.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/make-docs.yml b/.github/workflows/make-docs.yml index 26de09e8d58..74b709ea11a 100644 --- a/.github/workflows/make-docs.yml +++ b/.github/workflows/make-docs.yml @@ -16,6 +16,9 @@ on: env: ARTIFACTS_DIR: /tmp/artifacts +permissions: + contents: write + jobs: build-docs: runs-on: ubuntu-latest From 817b2383df51ef62b55c52d32ceab70b16c05463 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 18:02:03 -0400 Subject: [PATCH 2/6] ci: scope down permissions for stale-issues.yml --- .github/workflows/stale-issues.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/stale-issues.yml b/.github/workflows/stale-issues.yml index fad299a334b..70ce1288a76 100644 --- a/.github/workflows/stale-issues.yml +++ b/.github/workflows/stale-issues.yml @@ -5,6 +5,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + issues: write + jobs: cleanup: runs-on: ubuntu-latest From 57dd9249e168e918353a88c15724c650aff5f485 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 18:02:05 -0400 Subject: [PATCH 3/6] ci: scope down permissions for post-release.yml --- .github/workflows/post-release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml index aebc963cd21..5190235ce2f 100644 --- a/.github/workflows/post-release.yml +++ b/.github/workflows/post-release.yml @@ -15,6 +15,9 @@ on: env: version: ${{ github.event.inputs.version || github.ref_name }} +permissions: + contents: read + jobs: homebrew-tap: runs-on: ubuntu-latest From 05f0f69732eadc1667e75e89ee4fc723788579c4 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 18:02:07 -0400 Subject: [PATCH 4/6] ci: scope down permissions for ci.yml --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 281619480db..590953a441b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [main] +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }} From 6c1db46c756c498f3815f0eab02e708e054970c9 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 18:02:09 -0400 Subject: [PATCH 5/6] ci: scope down permissions for sdk-codegen-ci.yml --- .github/workflows/sdk-codegen-ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/sdk-codegen-ci.yml b/.github/workflows/sdk-codegen-ci.yml index e93f841b14e..d11823f16a2 100644 --- a/.github/workflows/sdk-codegen-ci.yml +++ b/.github/workflows/sdk-codegen-ci.yml @@ -3,6 +3,9 @@ name: sdk-codegen-ci on: workflow_dispatch: +permissions: + contents: read + jobs: build-aws-sdk-js-v3: runs-on: ubuntu-latest From 9d91b46918c69832cfbd3c5c9d4f14143675b5dd Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 18:02:11 -0400 Subject: [PATCH 6/6] ci: scope down permissions for update-gradle-plugin.yml --- .github/workflows/update-gradle-plugin.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/update-gradle-plugin.yml b/.github/workflows/update-gradle-plugin.yml index 80c206fb9b8..1b2489af29c 100644 --- a/.github/workflows/update-gradle-plugin.yml +++ b/.github/workflows/update-gradle-plugin.yml @@ -6,6 +6,10 @@ on: # Runs every wednesday at 11 - cron: '0 11 * * WED' +permissions: + contents: write + pull-requests: write + jobs: get-version: runs-on: ubuntu-latest