From 8ca49106529bd76f8f09c88d0f706a8d8de6a74c Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Tue, 10 Feb 2026 22:27:15 +0000
Subject: [PATCH] fix: Add explicit permissions to workflow files

Add least-privilege permissions blocks to the 3 workflows flagged by
CodeQL (alerts #2, #5, #6) for missing-workflow-permissions:

- test.yml: contents: read
- publish.yml: contents: read, issues: write
- auto-approve.yml: contents: read
---
 .github/workflows/auto-approve.yml | 4 ++++
 .github/workflows/publish.yml      | 5 +++++
 .github/workflows/test.yml         | 3 +++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml
index f03b7e4..8217fb0 100644
--- a/.github/workflows/auto-approve.yml
+++ b/.github/workflows/auto-approve.yml
@@ -2,6 +2,10 @@ name: auto-approve non-sdks
 on:
   issues:
     types: [opened]
+
+permissions:
+  contents: read
+
 jobs:
   auto-approve:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index ef98590..86c3b53 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -2,6 +2,11 @@ name: Publish
 on:
   issues:
     types: [labeled]
+
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a7ec80b..44692d0 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -5,6 +5,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 defaults:
   run:
     shell: bash