From 6a8733ac0dcb3e46f2a7072c28959b472ba0126b Mon Sep 17 00:00:00 2001
From: Nikunj Kohli <nikunjkohli10@gmail.com>
Date: Thu, 23 Oct 2025 17:53:10 +0530
Subject: [PATCH] Restrict GITHUB_TOKEN permissions on GitHub Actions

---
 .github/workflows/add-release-pongo.yml              | 2 ++
 .github/workflows/ast-grep.yml                       | 2 ++
 .github/workflows/autodocs.yml                       | 3 +++
 .github/workflows/backport-fail-bot.yml              | 2 ++
 .github/workflows/build.yml                          | 2 ++
 .github/workflows/build_and_test.yml                 | 2 ++
 .github/workflows/buildifier.yml                     | 2 ++
 .github/workflows/changelog-requirement.yml          | 2 ++
 .github/workflows/changelog-validation.yml           | 2 ++
 .github/workflows/community-stale.yml                | 2 ++
 .github/workflows/copyright-check.yml                | 2 ++
 .github/workflows/label-check.yml                    | 3 +++
 .github/workflows/label-schema.yml                   | 3 +++
 .github/workflows/labeler-v2.yml                     | 2 ++
 .github/workflows/openresty-patches-companion.yml    | 2 ++
 .github/workflows/perf.yml                           | 2 ++
 .github/workflows/release.yml                        | 2 ++
 .github/workflows/update-ngx-wasm-module.yml         | 2 ++
 .github/workflows/update-test-runtime-statistics.yml | 2 ++
 .github/workflows/upgrade-tests.yml                  | 3 +++
 20 files changed, 44 insertions(+)

diff --git a/.github/workflows/add-release-pongo.yml b/.github/workflows/add-release-pongo.yml
index 5917c286e68..f0e25911b29 100644
--- a/.github/workflows/add-release-pongo.yml
+++ b/.github/workflows/add-release-pongo.yml
@@ -5,6 +5,8 @@ on:
     tags:
     - '[1-9]+.[0-9]+.[0-9]+'
 
+permissions: read-all
+
 jobs:
   set_vars:
     name: Set Vars
diff --git a/.github/workflows/ast-grep.yml b/.github/workflows/ast-grep.yml
index b1e2e660285..df8f70af619 100644
--- a/.github/workflows/ast-grep.yml
+++ b/.github/workflows/ast-grep.yml
@@ -10,6 +10,8 @@ on:
       # globs for files that we want to check with ast-grep here
       - '**/*.lua'
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/autodocs.yml b/.github/workflows/autodocs.yml
index 8564adc087d..40742e8b4e4 100644
--- a/.github/workflows/autodocs.yml
+++ b/.github/workflows/autodocs.yml
@@ -16,6 +16,9 @@ on:
         description: "Ignore the build cache and build dependencies from scratch"
         type: boolean
         default: false
+
+permissions: read-all
+
 jobs:
   build:
     name: Build dependencies
diff --git a/.github/workflows/backport-fail-bot.yml b/.github/workflows/backport-fail-bot.yml
index 6d549ea33ed..98f4f9aaebe 100644
--- a/.github/workflows/backport-fail-bot.yml
+++ b/.github/workflows/backport-fail-bot.yml
@@ -4,6 +4,8 @@ on:
   issue_comment:
     types: [created]
 
+permissions: read-all
+
 jobs:
   check_comment:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d71adeb8341..bcb0cee1617 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -10,6 +10,8 @@ on:
         description: 'Computed cache key, used for restoring cache in other workflows'
         value: ${{ jobs.build.outputs.cache-key }}
 
+permissions: read-all
+
 env:
   BUILD_ROOT: ${{ github.workspace }}/${{ inputs.relative-build-root }}
 
diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
index 18a8abac890..e585a313b11 100644
--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
@@ -25,6 +25,8 @@ on:
         type: boolean
         default: false
 
+permissions: read-all
+
 # cancel previous runs if new commits are pushed to the PR, but run for each commit on master
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/buildifier.yml b/.github/workflows/buildifier.yml
index 85d3aaab0c2..ed01056f37e 100644
--- a/.github/workflows/buildifier.yml
+++ b/.github/workflows/buildifier.yml
@@ -17,6 +17,8 @@ on:
     - master
     - release/*
 
+permissions: read-all
+
 jobs:
 
   autoformat:
diff --git a/.github/workflows/changelog-requirement.yml b/.github/workflows/changelog-requirement.yml
index 89a5eeb3561..27f621e3f57 100644
--- a/.github/workflows/changelog-requirement.yml
+++ b/.github/workflows/changelog-requirement.yml
@@ -9,6 +9,8 @@ on:
       - '.requirements'
       - 'changelog/**'
 
+permissions: read-all
+
 jobs:
   require-changelog:
     if: ${{ !contains(github.event.*.labels.*.name, 'skip-changelog') }}
diff --git a/.github/workflows/changelog-validation.yml b/.github/workflows/changelog-validation.yml
index 6796acedc6d..ccf7b3d1cc5 100644
--- a/.github/workflows/changelog-validation.yml
+++ b/.github/workflows/changelog-validation.yml
@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [ opened, synchronize ]
 
+permissions: read-all
+
 jobs:
   validate-changelog:
     name: Validate changelog
diff --git a/.github/workflows/community-stale.yml b/.github/workflows/community-stale.yml
index f6cba0a6452..5780ec8a8f5 100644
--- a/.github/workflows/community-stale.yml
+++ b/.github/workflows/community-stale.yml
@@ -3,6 +3,8 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions: read-all
+
 jobs:
   close-issues:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/copyright-check.yml b/.github/workflows/copyright-check.yml
index 3459f669077..48eef194c68 100644
--- a/.github/workflows/copyright-check.yml
+++ b/.github/workflows/copyright-check.yml
@@ -3,6 +3,8 @@ name: Detect Unexpected EE Changes
 on:
   pull_request:
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/label-check.yml b/.github/workflows/label-check.yml
index 4b194e88125..6e033d2fd3e 100644
--- a/.github/workflows/label-check.yml
+++ b/.github/workflows/label-check.yml
@@ -2,6 +2,9 @@ name: Pull Request Label Checker
 on:
   pull_request:
     types: [opened, edited, synchronize, labeled, unlabeled]
+
+permissions: read-all
+
 jobs:
   check-labels:
     name: prevent merge labels
diff --git a/.github/workflows/label-schema.yml b/.github/workflows/label-schema.yml
index cae5513ee6d..b8fe5f5447e 100644
--- a/.github/workflows/label-schema.yml
+++ b/.github/workflows/label-schema.yml
@@ -2,6 +2,9 @@ name: Pull Request Schema Labeler
 on:
   pull_request:
     types: [opened, edited, labeled, unlabeled]
+
+permissions: read-all
+
 jobs:
   schema-change-labels:
     if: "${{ contains(github.event.*.labels.*.name, 'schema-change-noteworthy') }}"
diff --git a/.github/workflows/labeler-v2.yml b/.github/workflows/labeler-v2.yml
index 73373a0eda1..5058e53a74a 100644
--- a/.github/workflows/labeler-v2.yml
+++ b/.github/workflows/labeler-v2.yml
@@ -2,6 +2,8 @@ name: "Pull Request Labeler v2"
 on:
 - pull_request
 
+permissions: read-all
+
 jobs:
   labeler:
     if: ${{ !github.event.pull_request.head.repo.fork }}
diff --git a/.github/workflows/openresty-patches-companion.yml b/.github/workflows/openresty-patches-companion.yml
index 3d8bb22023e..616e73225ce 100644
--- a/.github/workflows/openresty-patches-companion.yml
+++ b/.github/workflows/openresty-patches-companion.yml
@@ -4,6 +4,8 @@ on:
     paths:
     - 'build/openresty/patches/**'
 
+permissions: read-all
+
 jobs:
   create-pr:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/perf.yml b/.github/workflows/perf.yml
index e36d5fdbfbb..054dd6c9a7e 100644
--- a/.github/workflows/perf.yml
+++ b/.github/workflows/perf.yml
@@ -6,6 +6,8 @@ on:
   # don't know the timezone but it's daily at least
   - cron:  '0 7 * * *'
 
+permissions: read-all
+
 env:
   terraform_version: '1.2.4'
   HAS_ACCESS_TO_GITHUB_TOKEN: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index be12e032163..f7c4e439c98 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,6 +26,8 @@ on:  # yamllint disable-line rule:truthy
         required: true
         type: string
 
+permissions: read-all
+
 # `commit-ly` is a flag that indicates whether the build should be run per commit.
 
 env:
diff --git a/.github/workflows/update-ngx-wasm-module.yml b/.github/workflows/update-ngx-wasm-module.yml
index b6f7481ca33..948ab2bab68 100644
--- a/.github/workflows/update-ngx-wasm-module.yml
+++ b/.github/workflows/update-ngx-wasm-module.yml
@@ -6,6 +6,8 @@ on:
   # run weekly
   - cron: '0 0 * * 0'
 
+permissions: read-all
+
 jobs:
   update:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/update-test-runtime-statistics.yml b/.github/workflows/update-test-runtime-statistics.yml
index 4cc70469f29..0769f4967e1 100644
--- a/.github/workflows/update-test-runtime-statistics.yml
+++ b/.github/workflows/update-test-runtime-statistics.yml
@@ -8,6 +8,8 @@ on:
     branches:
       - feat/test-run-scheduler
 
+permissions: read-all
+
 jobs:
   process-statistics:
     name: Download statistics from GitHub and combine them
diff --git a/.github/workflows/upgrade-tests.yml b/.github/workflows/upgrade-tests.yml
index d3c75d916a6..b0ebe5e5d5a 100644
--- a/.github/workflows/upgrade-tests.yml
+++ b/.github/workflows/upgrade-tests.yml
@@ -19,6 +19,9 @@ on:
     - release/*
     - test-please/*
   workflow_dispatch:
+
+permissions: read-all
+
 # cancel previous runs if new commits are pushed to the PR, but run for each commit on master
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}