From 044060840d38bc61b966d6c0dfe58c860658c377 Mon Sep 17 00:00:00 2001
From: Florian Bernd <florian.bernd@elastic.co>
Date: Tue, 16 Jun 2026 10:12:44 +0200
Subject: [PATCH] fix: add explicit permissions to GitHub Actions workflows

InfoSec is changing GITHUB_TOKEN default permissions from read/write
to read-only on July 15th. Adding explicit permissions blocks to all
workflows that require write access.
---
 .github/workflows/auto-pr.yml              | 5 +++++
 .github/workflows/codeql.yml               | 2 ++
 .github/workflows/docs-preview-cleanup.yml | 2 ++
 .github/workflows/regenerate-notice.yml    | 2 ++
 .github/workflows/resolve-conflicts.yml    | 5 +++++
 5 files changed, 16 insertions(+)

diff --git a/.github/workflows/auto-pr.yml b/.github/workflows/auto-pr.yml
index 6bfad646..ed0f7d28 100644
--- a/.github/workflows/auto-pr.yml
+++ b/.github/workflows/auto-pr.yml
@@ -3,6 +3,11 @@ on:
   issues:
     types: [labeled]
 
+permissions:
+  contents: write
+  pull-requests: write
+  issues: read
+
 jobs:
   auto-pr:
     if: startsWith(github.event.label.name, 'auto-pr')
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 979c67e8..e6279037 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: ["main"]
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
diff --git a/.github/workflows/docs-preview-cleanup.yml b/.github/workflows/docs-preview-cleanup.yml
index 34502d02..5d80161f 100644
--- a/.github/workflows/docs-preview-cleanup.yml
+++ b/.github/workflows/docs-preview-cleanup.yml
@@ -6,6 +6,8 @@ on:
     types:
       - closed
 
+permissions: {}
+
 jobs:
   cleanup:
     uses: elastic/docs-actions/.github/workflows/docs-preview-cleanup.yml@67a2f08b5b237e0f333d23c357b2f6cb6860ecf9 # v1
diff --git a/.github/workflows/regenerate-notice.yml b/.github/workflows/regenerate-notice.yml
index 85ee4be2..c51b3231 100644
--- a/.github/workflows/regenerate-notice.yml
+++ b/.github/workflows/regenerate-notice.yml
@@ -8,6 +8,8 @@ on:
       - package.json
       - package-lock.json
 
+permissions: {}
+
 jobs:
   regenerate:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/resolve-conflicts.yml b/.github/workflows/resolve-conflicts.yml
index c7ceea03..4a3fe594 100644
--- a/.github/workflows/resolve-conflicts.yml
+++ b/.github/workflows/resolve-conflicts.yml
@@ -3,6 +3,11 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: write
+  pull-requests: write
+  issues: read
+
 jobs:
   resolve:
     uses: elastic/clients-team-automations/.github/workflows/ai-backport-resolver.yml@main