From 06ac58993e519185e852af8159a35d91439d9ab7 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Mon, 20 Oct 2025 18:11:14 -0400 Subject: [PATCH 1/5] Scope down GitHub token permissions for send_release_notification.yml Signed-off-by: Adnan Khan --- .github/workflows/send_release_notification.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/send_release_notification.yml b/.github/workflows/send_release_notification.yml index 65d03f0c940..9dadb357570 100644 --- a/.github/workflows/send_release_notification.yml +++ b/.github/workflows/send_release_notification.yml @@ -4,6 +4,9 @@ on: release: types: [published] + +permissions: {} + jobs: send_notification: runs-on: ubuntu-latest From b49bc2d03b5b2d851065a157d6ca3d6005a1a145 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Mon, 20 Oct 2025 18:11:19 -0400 Subject: [PATCH 2/5] Scope down GitHub token permissions for dependency_modification_check.yml Signed-off-by: Adnan Khan --- .github/workflows/dependency_modification_check.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/dependency_modification_check.yml b/.github/workflows/dependency_modification_check.yml index ac6537af102..10df0a863eb 100644 --- a/.github/workflows/dependency_modification_check.yml +++ b/.github/workflows/dependency_modification_check.yml @@ -2,6 +2,10 @@ name: Check no dependencies were modified on: pull_request + +permissions: + contents: read + jobs: dependency_changed_check: runs-on: ubuntu-latest From 84f059cfff580e202f01bd609d05646ab34a5899 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Mon, 20 Oct 2025 18:11:24 -0400 Subject: [PATCH 3/5] Scope down GitHub token permissions for deny_dirty_cargo_locks.yml Signed-off-by: Adnan Khan --- .github/workflows/deny_dirty_cargo_locks.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/deny_dirty_cargo_locks.yml b/.github/workflows/deny_dirty_cargo_locks.yml index 98b9754013f..244e302dd4d 100644 --- a/.github/workflows/deny_dirty_cargo_locks.yml +++ b/.github/workflows/deny_dirty_cargo_locks.yml @@ -2,6 +2,10 @@ name: Check no Cargo.lock files are dirty on: pull_request + +permissions: + contents: read + jobs: no_dirty_cargo_locks_check: runs-on: ubuntu-latest From 53d45eba5867d1386c5ed8cddcaea6840cc4b48b Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Mon, 20 Oct 2025 18:11:29 -0400 Subject: [PATCH 4/5] Scope down GitHub token permissions for trigger_ab_tests.yml Signed-off-by: Adnan Khan --- .github/workflows/trigger_ab_tests.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/trigger_ab_tests.yml b/.github/workflows/trigger_ab_tests.yml index bb7c81f1e14..9c4691d3992 100644 --- a/.github/workflows/trigger_ab_tests.yml +++ b/.github/workflows/trigger_ab_tests.yml @@ -5,6 +5,10 @@ on: - firecracker-v* - feature/* + +permissions: + contents: read + jobs: trigger_ab_test: runs-on: ubuntu-latest From a9c2d6bd98bd49278b8ff7721755dcf4ab3d6c85 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Mon, 20 Oct 2025 18:11:34 -0400 Subject: [PATCH 5/5] Scope down GitHub token permissions for send_pr_notification.yml Signed-off-by: Adnan Khan --- .github/workflows/send_pr_notification.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/send_pr_notification.yml b/.github/workflows/send_pr_notification.yml index d7148a67ec9..b0412184ffa 100644 --- a/.github/workflows/send_pr_notification.yml +++ b/.github/workflows/send_pr_notification.yml @@ -4,6 +4,9 @@ on: pull_request_target: types: [labeled] + +permissions: {} + jobs: send_notification: runs-on: ubuntu-latest