From 9a6615b43bdfec63a76e41fd400255ee3a7cad1e Mon Sep 17 00:00:00 2001
From: moorec-aws <122481442+moorec-aws@users.noreply.github.com>
Date: Thu, 27 Nov 2025 12:22:51 -0600
Subject: [PATCH] ci: specify permissions that workflows pass to jobs/actions

Signed-off-by: Charles Moore <122481442+moorec-aws@users.noreply.github.com>
---
 .github/workflows/codeql.yml               | 2 ++
 .github/workflows/release_bump.yml         | 3 +++
 .github/workflows/responded.yml            | 3 +++
 .github/workflows/stale_prs_and_issues.yml | 4 ++++
 4 files changed, 12 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 9fa5f5c0..4858e33b 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -12,3 +12,5 @@ jobs:
   Analysis:
     name: Analysis
     uses: OpenJobDescription/.github/.github/workflows/reusable_codeql.yml@mainline
+    permissions:
+      security-events: write
diff --git a/.github/workflows/release_bump.yml b/.github/workflows/release_bump.yml
index 6b6a87dd..153dac24 100644
--- a/.github/workflows/release_bump.yml
+++ b/.github/workflows/release_bump.yml
@@ -20,6 +20,9 @@ jobs:
   Bump:
     name: Version Bump
     uses: OpenJobDescription/.github/.github/workflows/reusable_bump.yml@mainline
+    permissions:
+      contents: write
+      pull-requests: write
     secrets: inherit
     with:
       force_version_bump: ${{ inputs.force_version_bump }}
\ No newline at end of file
diff --git a/.github/workflows/responded.yml b/.github/workflows/responded.yml
index a25d0988..ab78ee9f 100644
--- a/.github/workflows/responded.yml
+++ b/.github/workflows/responded.yml
@@ -6,3 +6,6 @@ on:
 jobs:
   check-for-response:
     uses: OpenJobDescription/.github/.github/workflows/reusable_responded.yml@mainline
+    permissions:
+      issues: write
+      pull-requests: write
diff --git a/.github/workflows/stale_prs_and_issues.yml b/.github/workflows/stale_prs_and_issues.yml
index 9b465db1..16cae393 100644
--- a/.github/workflows/stale_prs_and_issues.yml
+++ b/.github/workflows/stale_prs_and_issues.yml
@@ -7,3 +7,7 @@ on:
 jobs:
   check-for-stales:
     uses: OpenJobDescription/.github/.github/workflows/reusable_stale_prs_and_issues.yml@mainline
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write