This is an automated email from the ASF dual-hosted git repository.
apupier pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 7e5f828333db ci: declare least-privilege permissions on PR helper
workflows
7e5f828333db is described below
commit 7e5f828333db0a2bfebef5d06512f432246ee36e
Author: Arpit Jain <[email protected]>
AuthorDate: Sun May 31 22:30:10 2026 +0900
ci: declare least-privilege permissions on PR helper workflows
These three workflows currently inherit the default read-write GITHUB_TOKEN.
Declare explicit workflow-level permissions instead.
pr-id only checks out the repo and uploads an artifact, so contents: read is
enough. pr-commenter and pr-labeler both download the PR id artifact through
the Actions API (actions: read); pr-commenter then posts a welcome comment
via
github.rest.issues.createComment and pr-labeler runs actions/labeler, both
of
which write to the PR (pull-requests: write). Scopes were matched to what
each
workflow actually does, per review feedback.
Signed-off-by: Arpit Jain <[email protected]>
---
.github/workflows/pr-commenter.yml | 5 +++++
.github/workflows/pr-id.yml | 3 +++
.github/workflows/pr-labeler.yml | 5 +++++
3 files changed, 13 insertions(+)
diff --git a/.github/workflows/pr-commenter.yml
b/.github/workflows/pr-commenter.yml
index 08001312c383..b544407b6d6b 100644
--- a/.github/workflows/pr-commenter.yml
+++ b/.github/workflows/pr-commenter.yml
@@ -24,6 +24,11 @@ on:
types:
- completed
+permissions:
+ contents: read
+ pull-requests: write
+ actions: read
+
jobs:
process:
runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-id.yml b/.github/workflows/pr-id.yml
index 1711b24091fd..bb517fbc46a9 100644
--- a/.github/workflows/pr-id.yml
+++ b/.github/workflows/pr-id.yml
@@ -23,6 +23,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number ||
github.ref }}
cancel-in-progress: true
+permissions:
+ contents: read
+
jobs:
upload:
runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
index 60a8f1f27101..72347b24f463 100644
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -24,6 +24,11 @@ on:
types:
- completed
+permissions:
+ contents: read
+ pull-requests: write
+ actions: read
+
jobs:
process:
runs-on: ubuntu-latest