From 1635dacae8e239cbf444b7cdba23dd191ff33feb Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:54:49 -0400 Subject: [PATCH 1/6] ci: scope down permissions for stale.yml --- .github/workflows/stale.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 4cd090ce20..517aaa5c57 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,6 +4,10 @@ on: schedule: - cron: "30 1 * * *" +permissions: + issues: write + pull-requests: write + jobs: stale: runs-on: ubuntu-latest From e8e0028d07ddd36b4fb5d97f4057ece7e5c4f67e Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:54:51 -0400 Subject: [PATCH 2/6] ci: scope down permissions for release_pr.yml --- .github/workflows/release_pr.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release_pr.yml b/.github/workflows/release_pr.yml index 51d3a50787..cf1522d856 100644 --- a/.github/workflows/release_pr.yml +++ b/.github/workflows/release_pr.yml @@ -18,6 +18,10 @@ env: GIT_USER_NAME: amplify-android-dev+ghops GIT_USER_EMAIL: amplify-android-dev+ghops@amazon.com BASE_BRANCH: ${{ github.ref_name }} +permissions: + contents: write + pull-requests: write + jobs: create_pr_for_next_release: runs-on: ubuntu-latest From e364e731d492b0ae9cc4fbccba044273c5a7fbe7 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:54:53 -0400 Subject: [PATCH 3/6] ci: scope down permissions for pr_title_checker.yml --- .github/workflows/pr_title_checker.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pr_title_checker.yml b/.github/workflows/pr_title_checker.yml index e3fb011ca5..617b859a83 100644 --- a/.github/workflows/pr_title_checker.yml +++ b/.github/workflows/pr_title_checker.yml @@ -10,6 +10,9 @@ on: - labeled - unlabeled +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest From 0bfcdd6267b990b6e7ebd00e159d9936733fb03e Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:54:55 -0400 Subject: [PATCH 4/6] ci: scope down permissions for notify_pull_request.yml --- .github/workflows/notify_pull_request.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/notify_pull_request.yml b/.github/workflows/notify_pull_request.yml index 5d94031869..2e7f39bf02 100644 --- a/.github/workflows/notify_pull_request.yml +++ b/.github/workflows/notify_pull_request.yml @@ -4,6 +4,9 @@ on: pull_request: types: [opened, ready_for_review, reopened] +permissions: + contents: read + jobs: notify: runs-on: ubuntu-latest From 5b396014d8de6797e287ca4a226931693b613ff6 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:54:57 -0400 Subject: [PATCH 5/6] ci: scope down permissions for notify_release.yml --- .github/workflows/notify_release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/notify_release.yml b/.github/workflows/notify_release.yml index df537a037f..1531f9e342 100644 --- a/.github/workflows/notify_release.yml +++ b/.github/workflows/notify_release.yml @@ -9,6 +9,9 @@ on: types: [created, published] # A workflow run is made up of one or more jobs that can run sequentially or in parallel +permissions: + contents: read + jobs: # This workflow contains a single job called "notify" notify: From ab696f43e45f42cc2331c8de88f7a43c1a2bd96f Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:54:58 -0400 Subject: [PATCH 6/6] ci: scope down permissions for codecov_code_coverage.yml --- .github/workflows/codecov_code_coverage.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/codecov_code_coverage.yml b/.github/workflows/codecov_code_coverage.yml index 61faad0119..ca34fbf848 100644 --- a/.github/workflows/codecov_code_coverage.yml +++ b/.github/workflows/codecov_code_coverage.yml @@ -9,6 +9,9 @@ on: - 'main' workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest