From 579bd272c1ca858dcd9b1c26dfed84f54ad069fe Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Fri, 10 Oct 2025 14:35:06 -0700 Subject: [PATCH] chore: restrict GitHub workflow permissions - future-proof Signed-off-by: Melissa Kilby --- .github/workflows/automerge_to_main.yml | 2 ++ .github/workflows/automerge_to_release.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/automerge_to_main.yml b/.github/workflows/automerge_to_main.yml index faf2617dfb..737a91c070 100644 --- a/.github/workflows/automerge_to_main.yml +++ b/.github/workflows/automerge_to_main.yml @@ -1,6 +1,8 @@ name: Create PR to merge release branch into the main branch # At the end of a release cycle, we may want to automatically include all changes to release branches on the main branch to avoid the need for cherry-picking changes back to release branches # This workflow can be disabled earlier in the release cycle in the GitHub UI as described in https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/disabling-and-enabling-a-workflow +permissions: + contents: read on: schedule: - cron: '0 9 * * *' diff --git a/.github/workflows/automerge_to_release.yml b/.github/workflows/automerge_to_release.yml index c302e53cbe..76f223e592 100644 --- a/.github/workflows/automerge_to_release.yml +++ b/.github/workflows/automerge_to_release.yml @@ -1,6 +1,8 @@ name: Create PR to merge main into release branch # In the first period after branching the release branch, we typically want to include many changes from `main` in the release branch. This workflow automatically creates a PR every Monday to merge main into the release branch. # Later in the release cycle we should stop this practice to avoid landing risky changes by disabling this workflow. To do so, disable the workflow as described in https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/disabling-and-enabling-a-workflow +permissions: + contents: read on: schedule: - cron: '0 9 * * MON'