From 46ba815cb806e00664261d2c9ee4af34739f82c6 Mon Sep 17 00:00:00 2001 From: Fabrizio Ferri Benedetti Date: Tue, 16 Jun 2026 09:55:14 +0200 Subject: [PATCH] Scope patch release workflow write permissions to its job. Deny permissions by default at the workflow level and grant `contents: write` plus `pull-requests: write` only to the job that creates the bump PR, so the workflow stays compatible with a read-only default token. Co-authored-by: OpenAI Co-authored-by: Cursor --- .github/workflows/patch-release-version-bump.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/patch-release-version-bump.yml b/.github/workflows/patch-release-version-bump.yml index 7625e7b4f27e6..030aafc28548e 100644 --- a/.github/workflows/patch-release-version-bump.yml +++ b/.github/workflows/patch-release-version-bump.yml @@ -15,9 +15,14 @@ on: description: 'Patch version (new)' options: ['1', '2', '3', '4', '5', '6', '7', '8', '9', '10', '11', '12', '13', '14', '15', '16', '17', '18', '19', '20', '21', '22', '23', '24', '25'] +permissions: {} + jobs: create-pull-request: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - name: Check out repository code uses: actions/checkout@v4