From f142ccb22d9971a3c9ff39596a742bdc344ad3ae Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 17:15:56 -0400
Subject: [PATCH 1/5] ci: scope down permissions for ci_size_writer.yml

---
 .github/workflows/ci_size_writer.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/ci_size_writer.yml b/.github/workflows/ci_size_writer.yml
index c83d9c6332f..759c0f9ec26 100644
--- a/.github/workflows/ci_size_writer.yml
+++ b/.github/workflows/ci_size_writer.yml
@@ -6,6 +6,10 @@ on:
     types:
       - completed
 
+permissions:
+  pull-requests: write
+  issues: write
+
 jobs:
   comment_bin_size:
     runs-on: ubuntu-latest

From c974484be5409e151b81d04df4a2150d0f97a9e4 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 17:15:58 -0400
Subject: [PATCH 2/5] ci: scope down permissions for ci_size_computer.yml

---
 .github/workflows/ci_size_computer.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci_size_computer.yml b/.github/workflows/ci_size_computer.yml
index cb996460700..2468571aa7c 100644
--- a/.github/workflows/ci_size_computer.yml
+++ b/.github/workflows/ci_size_computer.yml
@@ -7,6 +7,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   binsize:
     runs-on: ubuntu-latest

From b4c636ec36da8f64a6453632bfc9df405467a493 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 17:16:00 -0400
Subject: [PATCH 3/5] ci: scope down permissions for commit.yml

---
 .github/workflows/commit.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/commit.yml b/.github/workflows/commit.yml
index 7d6976df840..05c8b36b0e2 100644
--- a/.github/workflows/commit.yml
+++ b/.github/workflows/commit.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - mainline
 
+permissions:
+  contents: read
+
 jobs:
   test: # same as ci/test
     runs-on: ubuntu-latest

From 6c781b21a0099650bd7f1fcc6f3e441d7328af95 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 17:16:02 -0400
Subject: [PATCH 4/5] ci: scope down permissions for ci.yml

---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a811563e710..71267156a26 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

From dcf3ebe345c4eaf791e178669b206d842e1cd56a Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 17:16:04 -0400
Subject: [PATCH 5/5] ci: scope down permissions for doc_builder.yml

---
 .github/workflows/doc_builder.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/doc_builder.yml b/.github/workflows/doc_builder.yml
index 4174e5e45a9..0a59843d833 100644
--- a/.github/workflows/doc_builder.yml
+++ b/.github/workflows/doc_builder.yml
@@ -5,6 +5,10 @@ on:
   # Allow the workflow to be triggered also manually.
   workflow_dispatch:
 
+permissions:
+  contents: write
+  pages: write
+
 jobs:
   build:
     name: Deploy docs