From 383e42d98833de538a83f6f060e679243c4d8520 Mon Sep 17 00:00:00 2001
From: Adnan Khan <adnanek@amazon.com>
Date: Wed, 3 Dec 2025 12:31:27 -0500
Subject: [PATCH] Scope down GitHub Token permissions

This change scopes down GitHub Token permissions to least
necessary for GitHub Actions workflows.

Signed-off-by: Adnan Khan <adnanek@amazon.com>
---
 .github/workflows/deny_dirty_cargo_locks.yml        | 4 ++++
 .github/workflows/dependency_modification_check.yml | 4 ++++
 .github/workflows/send_pr_notification.yml          | 3 +++
 .github/workflows/send_release_notification.yml     | 3 +++
 .github/workflows/trigger_ab_tests.yml              | 4 ++++
 5 files changed, 18 insertions(+)

diff --git a/.github/workflows/deny_dirty_cargo_locks.yml b/.github/workflows/deny_dirty_cargo_locks.yml
index 98b9754013f..244e302dd4d 100644
--- a/.github/workflows/deny_dirty_cargo_locks.yml
+++ b/.github/workflows/deny_dirty_cargo_locks.yml
@@ -2,6 +2,10 @@ name: Check no Cargo.lock files are dirty
 
 on: pull_request
 
+
+permissions:
+  contents: read
+
 jobs:
   no_dirty_cargo_locks_check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/dependency_modification_check.yml b/.github/workflows/dependency_modification_check.yml
index ac6537af102..10df0a863eb 100644
--- a/.github/workflows/dependency_modification_check.yml
+++ b/.github/workflows/dependency_modification_check.yml
@@ -2,6 +2,10 @@ name: Check no dependencies were modified
 
 on: pull_request
 
+
+permissions:
+  contents: read
+
 jobs:
   dependency_changed_check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/send_pr_notification.yml b/.github/workflows/send_pr_notification.yml
index d7148a67ec9..b0412184ffa 100644
--- a/.github/workflows/send_pr_notification.yml
+++ b/.github/workflows/send_pr_notification.yml
@@ -4,6 +4,9 @@ on:
   pull_request_target:
     types: [labeled]
 
+
+permissions: {}
+
 jobs:
   send_notification:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/send_release_notification.yml b/.github/workflows/send_release_notification.yml
index 65d03f0c940..9dadb357570 100644
--- a/.github/workflows/send_release_notification.yml
+++ b/.github/workflows/send_release_notification.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+
+permissions: {}
+
 jobs:
   send_notification:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/trigger_ab_tests.yml b/.github/workflows/trigger_ab_tests.yml
index bb7c81f1e14..9c4691d3992 100644
--- a/.github/workflows/trigger_ab_tests.yml
+++ b/.github/workflows/trigger_ab_tests.yml
@@ -5,6 +5,10 @@ on:
       - firecracker-v*
       - feature/*
 
+
+permissions:
+  contents: read
+
 jobs:
   trigger_ab_test:
     runs-on: ubuntu-latest