From a21f00d250fdabb8777bc13533aaf0e7a58a39de Mon Sep 17 00:00:00 2001
From: Atif Ali <atif@coder.com>
Date: Tue, 10 Mar 2026 16:43:36 +0500
Subject: [PATCH] chore(ci): tighten permissions for AI workflows (#22471)

---
 .github/workflows/classify-issue-severity.yml | 4 +++-
 .github/workflows/code-review.yaml            | 4 +++-
 .github/workflows/doc-check.yaml              | 4 +++-
 .github/workflows/traiage.yaml                | 4 +++-
 4 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/classify-issue-severity.yml b/.github/workflows/classify-issue-severity.yml
index 2bca83190e..44277a3508 100644
--- a/.github/workflows/classify-issue-severity.yml
+++ b/.github/workflows/classify-issue-severity.yml
@@ -19,6 +19,9 @@ on:
         default: ""
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   classify-severity:
     name: AI Severity Classification
@@ -32,7 +35,6 @@ jobs:
     permissions:
       contents: read
       issues: write
-      actions: write
 
     steps:
       - name: Determine Issue Context
diff --git a/.github/workflows/code-review.yaml b/.github/workflows/code-review.yaml
index 1526408466..90a872afaf 100644
--- a/.github/workflows/code-review.yaml
+++ b/.github/workflows/code-review.yaml
@@ -31,6 +31,9 @@ on:
         default: ""
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   code-review:
     name: AI Code Review
@@ -51,7 +54,6 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
-      actions: write
 
     steps:
       - name: Check if secrets are available
diff --git a/.github/workflows/doc-check.yaml b/.github/workflows/doc-check.yaml
index b31ed804cc..d891a223b2 100644
--- a/.github/workflows/doc-check.yaml
+++ b/.github/workflows/doc-check.yaml
@@ -34,6 +34,9 @@ on:
         default: ""
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   doc-check:
     name: Analyze PR for Documentation Updates Needed
@@ -56,7 +59,6 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
-      actions: write
 
     steps:
       - name: Check if secrets are available
diff --git a/.github/workflows/traiage.yaml b/.github/workflows/traiage.yaml
index 3848c67aef..65658e7bc9 100644
--- a/.github/workflows/traiage.yaml
+++ b/.github/workflows/traiage.yaml
@@ -26,6 +26,9 @@ on:
         default: "traiage"
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   traiage:
     name: Triage GitHub Issue with Claude Code
@@ -38,7 +41,6 @@ jobs:
     permissions:
       contents: read
       issues: write
-      actions: write
 
     steps:
       # This is only required for testing locally using nektos/act, so leaving commented out.