From c83a3da9dbb3b35860916e8c60836deaf28e736b Mon Sep 17 00:00:00 2001
From: moorec-aws <122481442+moorec-aws@users.noreply.github.com>
Date: Thu, 27 Nov 2025 12:22:54 -0600
Subject: [PATCH] ci: specify permissions that workflows pass to jobs/actions

Signed-off-by: Charles Moore <122481442+moorec-aws@users.noreply.github.com>
---
 .github/workflows/codeql.yml               | 2 ++
 .github/workflows/release_bump.yml         | 3 +++
 .github/workflows/responded.yml            | 3 +++
 .github/workflows/stale_prs_and_issues.yml | 4 ++++
 4 files changed, 12 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 9fa5f5c..4858e33 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -12,3 +12,5 @@ jobs:
   Analysis:
     name: Analysis
     uses: OpenJobDescription/.github/.github/workflows/reusable_codeql.yml@mainline
+    permissions:
+      security-events: write
diff --git a/.github/workflows/release_bump.yml b/.github/workflows/release_bump.yml
index 6b6a87d..153dac2 100644
--- a/.github/workflows/release_bump.yml
+++ b/.github/workflows/release_bump.yml
@@ -20,6 +20,9 @@ jobs:
   Bump:
     name: Version Bump
     uses: OpenJobDescription/.github/.github/workflows/reusable_bump.yml@mainline
+    permissions:
+      contents: write
+      pull-requests: write
     secrets: inherit
     with:
       force_version_bump: ${{ inputs.force_version_bump }}
\ No newline at end of file
diff --git a/.github/workflows/responded.yml b/.github/workflows/responded.yml
index a25d098..ab78ee9 100644
--- a/.github/workflows/responded.yml
+++ b/.github/workflows/responded.yml
@@ -6,3 +6,6 @@ on:
 jobs:
   check-for-response:
     uses: OpenJobDescription/.github/.github/workflows/reusable_responded.yml@mainline
+    permissions:
+      issues: write
+      pull-requests: write
diff --git a/.github/workflows/stale_prs_and_issues.yml b/.github/workflows/stale_prs_and_issues.yml
index 9b465db..16cae39 100644
--- a/.github/workflows/stale_prs_and_issues.yml
+++ b/.github/workflows/stale_prs_and_issues.yml
@@ -7,3 +7,7 @@ on:
 jobs:
   check-for-stales:
     uses: OpenJobDescription/.github/.github/workflows/reusable_stale_prs_and_issues.yml@mainline
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write