Scope down GitHub Token permissions

AdnaneKhan · Manciukic · commit 07ebf7e87a32 · 2025-12-03T18:18:42.000Z
This change scopes down GitHub Token permissions to least
necessary for GitHub Actions workflows.

Signed-off-by: Adnan Khan &lt;adnanek@amazon.com&gt;
diff --git a/.github/workflows/deny_dirty_cargo_locks.yml b/.github/workflows/deny_dirty_cargo_locks.yml
@@ -2,6 +2,10 @@ name: Check no Cargo.lock files are dirty
 
 on: pull_request
 
+
+permissions:
+  contents: read
+
 jobs:
   no_dirty_cargo_locks_check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/dependency_modification_check.yml b/.github/workflows/dependency_modification_check.yml
@@ -2,6 +2,10 @@ name: Check no dependencies were modified
 
 on: pull_request
 
+
+permissions:
+  contents: read
+
 jobs:
   dependency_changed_check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/send_pr_notification.yml b/.github/workflows/send_pr_notification.yml
@@ -4,6 +4,9 @@ on:
   pull_request_target:
     types: [labeled]
 
+
+permissions: {}
+
 jobs:
   send_notification:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/send_release_notification.yml b/.github/workflows/send_release_notification.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+
+permissions: {}
+
 jobs:
   send_notification:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/trigger_ab_tests.yml b/.github/workflows/trigger_ab_tests.yml
@@ -5,6 +5,10 @@ on:
       - firecracker-v*
       - feature/*
 
+
+permissions:
+  contents: read
+
 jobs:
   trigger_ab_test:
     runs-on: ubuntu-latest
