This is an automated email from the ASF dual-hosted git repository.

apupier pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git


The following commit(s) were added to refs/heads/main by this push:
     new 7e5f828333db ci: declare least-privilege permissions on PR helper 
workflows
7e5f828333db is described below

commit 7e5f828333db0a2bfebef5d06512f432246ee36e
Author: Arpit Jain <[email protected]>
AuthorDate: Sun May 31 22:30:10 2026 +0900

    ci: declare least-privilege permissions on PR helper workflows
    
    These three workflows currently inherit the default read-write GITHUB_TOKEN.
    Declare explicit workflow-level permissions instead.
    
    pr-id only checks out the repo and uploads an artifact, so contents: read is
    enough. pr-commenter and pr-labeler both download the PR id artifact through
    the Actions API (actions: read); pr-commenter then posts a welcome comment 
via
    github.rest.issues.createComment and pr-labeler runs actions/labeler, both 
of
    which write to the PR (pull-requests: write). Scopes were matched to what 
each
    workflow actually does, per review feedback.
    
    Signed-off-by: Arpit Jain <[email protected]>
---
 .github/workflows/pr-commenter.yml | 5 +++++
 .github/workflows/pr-id.yml        | 3 +++
 .github/workflows/pr-labeler.yml   | 5 +++++
 3 files changed, 13 insertions(+)

diff --git a/.github/workflows/pr-commenter.yml 
b/.github/workflows/pr-commenter.yml
index 08001312c383..b544407b6d6b 100644
--- a/.github/workflows/pr-commenter.yml
+++ b/.github/workflows/pr-commenter.yml
@@ -24,6 +24,11 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+  pull-requests: write
+  actions: read
+
 jobs:
   process:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-id.yml b/.github/workflows/pr-id.yml
index 1711b24091fd..bb517fbc46a9 100644
--- a/.github/workflows/pr-id.yml
+++ b/.github/workflows/pr-id.yml
@@ -23,6 +23,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || 
github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   upload:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
index 60a8f1f27101..72347b24f463 100644
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -24,6 +24,11 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+  pull-requests: write
+  actions: read
+
 jobs:
   process:
     runs-on: ubuntu-latest

Reply via email to