From 2233b7eecc4b2fa94c8797dab2b9c5743b33b4f7 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 17:35:23 -0400
Subject: [PATCH 1/3] ci: scope down permissions for repo-sync.yml

---
 .github/workflows/repo-sync.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml
index b76053544..a55d58b84 100644
--- a/.github/workflows/repo-sync.yml
+++ b/.github/workflows/repo-sync.yml
@@ -3,6 +3,10 @@ name: Repo Sync
 on:
   workflow_dispatch:     # allows triggering this manually through the Actions UI
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   repo-sync:
     name: Repo Sync

From e7c58a4f4ac20b6dfdfd4da97b1dfeadc42e2b7a Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 17:35:25 -0400
Subject: [PATCH 2/3] ci: scope down permissions for daily_ci.yml

---
 .github/workflows/daily_ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/daily_ci.yml b/.github/workflows/daily_ci.yml
index 959983a27..7b536e5ee 100644
--- a/.github/workflows/daily_ci.yml
+++ b/.github/workflows/daily_ci.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "00 15 * * 1-5"
 
+permissions:
+  contents: read
+
 jobs:
   DAILY_CI:
     # Don't run the cron builds on forks

From 095f256f2441851c58b29757bfdbfb0a98390a33 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 17:35:27 -0400
Subject: [PATCH 3/3] ci: scope down permissions for ci_static-analysis.yaml

---
 .github/workflows/ci_static-analysis.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci_static-analysis.yaml b/.github/workflows/ci_static-analysis.yaml
index 139c158cb..f06333e47 100644
--- a/.github/workflows/ci_static-analysis.yaml
+++ b/.github/workflows/ci_static-analysis.yaml
@@ -3,6 +3,9 @@ name: static analysis
 
 on: ["pull_request", "push"]
 
+permissions:
+  contents: read
+
 jobs:
   not-grep:
     runs-on: ubuntu-latest