asyncapi · asyncapi-bot · Jun 5, 2026 · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026
@@ -9,15 +9,20 @@ on:
     types:
       - created
 
+permissions: {}
+
 jobs:
   add-labels:
-    if: ${{(!github.event.issue.pull_request && github.event.issue.state != 'closed' && github.actor != 'asyncapi-bot') && (contains(github.event.comment.body, '/good-first-issue') || contains(github.event.comment.body, '/gfi' ))}}
+    name: Add 'Good First Issue' and 'area/*' labels
+    if: ${{(!github.event.issue.pull_request && github.event.issue.state != 'closed' && github.event.comment.user.login != 'asyncapi-bot') && (contains(github.event.comment.body, '/good-first-issue') || contains(github.event.comment.body, '/gfi' ))}}
     runs-on: ubuntu-latest
+    permissions:
+      issues: write    # This is needed to add labels to issues.
     steps:
       - name: Add label
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
-          github-token: ${{ secrets.GH_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             const areas = ['javascript', 'typescript', 'java' , 'go', 'docs', 'ci-cd', 'design'];
             const words = context.payload.comment.body.trim().split(" ");

@@ -12,12 +12,19 @@ on:
     types:
       - created
 
+permissions: {}
+
 jobs:
   add-ready-to-merge-label:
+    name: Add ready-to-merge label
+    permissions:
+      issues: write # required to add labels and post comments on PR issues
+      pull-requests: write # required to read PR metadata from the issue pull_request URL
+      contents: read # required to compare PR branch commits against base
     if: >
       github.event.issue.pull_request && 
       github.event.issue.state != 'closed' && 
-      github.actor != 'asyncapi-bot' && 
+      github.event.comment.user.login != 'asyncapi-bot' && 
       (
         contains(github.event.comment.body, '/ready-to-merge') || 
         contains(github.event.comment.body, '/rtm' )
@@ -26,10 +33,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Add ready-to-merge label
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         env:
           GITHUB_ACTOR: ${{ github.actor }}
         with:
+          # Use bot PAT, not the default GITHUB_TOKEN: events created by
+          # GITHUB_TOKEN do not trigger other workflows, so `Automerge For
+          # Humans` would never see the `labeled` event.
           github-token: ${{ secrets.GH_TOKEN }}
           script: |
             const prDetailsUrl = context.payload.issue.pull_request.url;
@@ -69,19 +79,24 @@ jobs:
             }
 
   add-do-not-merge-label:
+    name: Add do-not-merge label
+    permissions:
+      issues: write # required to add labels on PR issues
+      pull-requests: write # required to read PR metadata from the issue pull_request URL
     if: >
       github.event.issue.pull_request &&
       github.event.issue.state != 'closed' &&
-      github.actor != 'asyncapi-bot' &&
+      github.event.comment.user.login != 'asyncapi-bot' &&
       (
         contains(github.event.comment.body, '/do-not-merge') ||
         contains(github.event.comment.body, '/dnm' )
       )
     runs-on: ubuntu-latest
     steps:
       - name: Add do-not-merge label
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
+          # Bot PAT so the `labeled` event can trigger downstream workflows.
           github-token: ${{ secrets.GH_TOKEN }}
           script: |
             github.rest.issues.addLabels({
@@ -91,19 +106,24 @@ jobs:
               labels: ['do-not-merge']
             })
   add-autoupdate-label:
+    name: Add autoupdate label
+    permissions:
+      issues: write # required to add labels on PR issues
+      pull-requests: write # required to read PR metadata from the issue pull_request URL
     if: >
       github.event.issue.pull_request && 
       github.event.issue.state != 'closed' && 
-      github.actor != 'asyncapi-bot' &&
+      github.event.comment.user.login != 'asyncapi-bot' &&
       (
         contains(github.event.comment.body, '/autoupdate') ||
         contains(github.event.comment.body, '/au' )
       )
     runs-on: ubuntu-latest
     steps:
       - name: Add autoupdate label
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
+          # Bot PAT so the `labeled` event can trigger the autoupdate workflow.
           github-token: ${{ secrets.GH_TOKEN }}
           script: |
             github.rest.issues.addLabels({

@@ -14,21 +14,25 @@ on:
       - edited
       - ready_for_review
       - reopened
-      - unlocked
+      - unlocked                              # zizmor: ignore[dangerous-triggers] needed if we want author to be our bot
+
+permissions: {}
 
 jobs:
   automerge-for-humans:
+    name: Automerge PRs labeled with ready-to-merge
+    permissions:
+      contents: read # required for PR commit metadata reads
+      pull-requests: read # required to read pull request details in github-script steps
     # it runs only if PR actor is not a bot, at least not a bot that we know
     if: |
       github.event.pull_request.draft == false && 
-      (github.event.pull_request.user.login != 'asyncapi-bot' || 
-      github.event.pull_request.user.login != 'dependabot[bot]' || 
-      github.event.pull_request.user.login != 'dependabot-preview[bot]') 
+      !contains(fromJSON('["asyncapi-bot","dependabot[bot]","dependabot-preview[bot]"]'), github.event.pull_request.user.login)
     runs-on: ubuntu-latest
     steps:
       - name: Get PR authors
         id: authors
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             // Get paginated list of all commits in the PR
@@ -67,10 +71,12 @@ jobs:
 
       - name: Create commit message
         id: create-commit-message
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
+        env:
+          AUTHORS_JSON: ${{ steps.authors.outputs.result }}
         with:
           script: |
-            const authors = ${{ steps.authors.outputs.result }};
+            const authors = JSON.parse(process.env.AUTHORS_JSON);
 
             if (Object.keys(authors).length === 0) {
               core.setFailed('No authors found in the PR');

@@ -9,16 +9,21 @@ on:
   pull_request_target:
     types:
       - synchronize
-      - edited
+      - edited                                # zizmor: ignore[dangerous-triggers] needed as pull_request token is read-only
+
+permissions: {}
 
 jobs:
   remove-ready-label:
+    name: Remove ready-to-merge label
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # required to remove labels and post comments on PR issues 
     steps:
       - name: Remove label
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
-          github-token: ${{ secrets.GH_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             const labelToRemove = 'ready-to-merge';
             const labels = context.payload.pull_request.labels;

@@ -7,19 +7,26 @@ on:
   schedule:
   - cron: "0 0 * * *"
 
+permissions: {}
+
 jobs:
   identify-orphans:
     if: startsWith(github.repository, 'asyncapi/')
     name: Find orphans and notify
+    permissions:
+      contents: read # required by checkout and repository metadata reads
+      pull-requests: read # required to list open pull requests
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
       - name: Get list of orphans
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         id: orphans
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             const query = `query($owner:String!, $name:String!) {
               repository(owner:$owner, name:$name){

@@ -4,17 +4,18 @@
 name: Automerge PRs from bots
 
 on:
-  pull_request_target:
+  pull_request_target:          # Needed as GH_TOKEN_BOT_EVE needed for approval.
     types:
       - opened
-      - synchronize
+      - synchronize             # zizmor: ignore[dangerous-triggers]
+
+permissions: {}
 
 jobs:
   autoapprove-for-bot:
     name: Autoapprove PR comming from a bot
     if: >
       contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]"]'), github.event.pull_request.user.login) &&
-      contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]"]'), github.actor) &&
       !contains(github.event.pull_request.labels.*.name, 'released')
     runs-on: ubuntu-latest
     steps:
@@ -24,7 +25,7 @@ jobs:
           github-token: "${{ secrets.GH_TOKEN_BOT_EVE }}"
 
       - name: Label autoapproved
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           github-token: ${{ secrets.GH_TOKEN }}
           script: |

@@ -18,14 +18,16 @@ on:
       - 'bot/**'
       - 'all-contributors/**'
 
+permissions: {}
+
 jobs:
   autoupdate-for-bot:
     if: startsWith(github.repository, 'asyncapi/')
     name: Autoupdate autoapproved PR created in the upstream
     runs-on: ubuntu-latest
     steps:
       - name: Autoupdating
-        uses: docker://chinthakagodawita/autoupdate-action:v1
+        uses: chinthakagodawita/autoupdate@0707656cd062a3b0cf8fa9b2cda1d1404d74437e
         env:
           GITHUB_TOKEN: '${{ secrets.GH_TOKEN_BOT_EVE }}'
           PR_FILTER: "labelled"

@@ -20,10 +20,16 @@ env:
       {"name": "bounty", "color": "0e8a16", "description": "Participation in the Bounty Program"}
     ]
 
+permissions: {}
+
 jobs:
   guard-against-unauthorized-use:
+    name: Guard against unauthorized use
+    permissions:
+      issues: write # required to post a comment on the issue/PR
+      pull-requests: write # required to post a comment on the issue/PR if it's a PR
     if: >
-      github.actor != ('aeworxet' || 'thulieblack') &&
+      !contains(fromJSON('["aeworxet","thulieblack"]'), github.event.comment.user.login) &&
       (
         startsWith(github.event.comment.body, '/bounty' )
       )
@@ -32,11 +38,11 @@ jobs:
 
     steps:
       - name: ❌ @${{github.actor}} made an unauthorized attempt to use a Bounty Program's command
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         env:
           ACTOR: ${{ github.actor }}
         with:
-          github-token: ${{ secrets.GH_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             const commentText = `❌ @${process.env.ACTOR} is not authorized to use the Bounty Program's commands.
             These commands can only be used by members of the [Bounty Team](https://github.com/orgs/asyncapi/teams/bounty_team).`;
@@ -50,19 +56,22 @@ jobs:
               })
 
   add-label-bounty:
+    name: Add bounty label
+    permissions:
+      issues: write # required to read/create labels and add labels on the issue/PR
+      pull-requests: write #  required to read/create labels and add labels on the issue/PR
     if: >
-      github.actor == ('aeworxet' || 'thulieblack') &&
+      contains(fromJSON('["aeworxet","thulieblack"]'), github.event.comment.user.login) &&
       (
         startsWith(github.event.comment.body, '/bounty' )
       )
 
     runs-on: ubuntu-latest
-
     steps:
       - name: Add label `bounty`
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
-          github-token: ${{ secrets.GH_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             const BOUNTY_PROGRAM_LABELS = JSON.parse(process.env.BOUNTY_PROGRAM_LABELS_JSON);
             let LIST_OF_LABELS_FOR_REPO = await github.rest.issues.listLabelsForRepo({
@@ -91,19 +100,21 @@ jobs:
             })
 
   remove-label-bounty:
+    name: Remove bounty label
+    permissions:
+      issues: write # required to read/remove labels on the issue/PR
+      pull-requests: write # required to read/remove labels on the issue/PR if it's a PR
     if: >
-      github.actor == ('aeworxet' || 'thulieblack') &&
+      contains(fromJSON('["aeworxet","thulieblack"]'), github.event.comment.user.login) &&
       (
         startsWith(github.event.comment.body, '/unbounty' )
       )
-
     runs-on: ubuntu-latest
-
     steps:
       - name: Remove label `bounty`
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
-          github-token: ${{ secrets.GH_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             const BOUNTY_PROGRAM_LABELS = JSON.parse(process.env.BOUNTY_PROGRAM_LABELS_JSON);
             let LIST_OF_LABELS_FOR_ISSUE = await github.rest.issues.listLabelsOnIssue({

@@ -13,17 +13,22 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read  # To checkout code
+
 jobs:
   bump-in-dependent-projects:
     name: Bump this package in repositories that depend on it
     if: startsWith(github.event.commits[0].message, 'chore(release):')
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
       - name: Check if Node.js project and has package.json
         id: packagejson
-        run: test -e ./package.json && echo "exists=true" >> $GITHUB_OUTPUT || echo "exists=false" >> $GITHUB_OUTPUT
+        run: test -e ./package.json && echo "exists=true" >> "$GITHUB_OUTPUT" || echo "exists=false" >> "$GITHUB_OUTPUT"
       - name: Setup corepack with pnpm and yarn
         if: steps.packagejson.outputs.exists == 'true'
         run: corepack enable