chore: restrict default token permissions in all workflows

mikehardy · mikehardy · commit de484206f4b9 · 2026-06-20T08:52:22.000-05:00
Declare explicit minimal GITHUB_TOKEN permissions on workflows that
previously inherited the org default, and fix a missing newline in the
stale issue message.
diff --git a/.github/workflows/create_test_patches.yml b/.github/workflows/create_test_patches.yml
@@ -19,6 +19,10 @@ on:
       - '.spellcheck.dict.txt'
       - '**/*.md'
 
+permissions:
+  contents: read
+  actions: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -9,6 +9,10 @@ on:
     branches:
       - '**'
 
+permissions:
+  contents: read
+  actions: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -9,6 +9,10 @@ on:
       - main
       - release-v*
 
+permissions:
+  contents: read
+  actions: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/rnfb-js-sdk-comparison.yml b/.github/workflows/rnfb-js-sdk-comparison.yml
@@ -20,6 +20,10 @@ on:
       - '.spellcheck.dict.txt'
       - '**/*.md'
 
+permissions:
+  contents: read
+  actions: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -5,12 +5,10 @@ on:
   schedule:
     - cron: 35 * * * *
 permissions:
-  contents: read
+  issues: write
+  pull-requests: write
 jobs:
   stale:
-    permissions:
-      issues: write
-      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       # https://github.com/actions/stale/releases
@@ -20,7 +18,9 @@ jobs:
           stale-issue-message: |
             Hello 👋, to help manage issues we automatically close stale issues.
 
-            This issue has been automatically marked as stale because it has not had activity for quite some time.Has this issue been fixed, or does it still require attention?
+            This issue has been automatically marked as stale because it has not had activity for quite some time.
+
+            Has this issue been fixed, or does it still require attention?
 
             > This issue will be closed in 15 days if no further activity occurs.
 
diff --git a/.github/workflows/tests_e2e_android.yml b/.github/workflows/tests_e2e_android.yml
@@ -27,6 +27,10 @@ on:
       - '.spellcheck.dict.txt'
       - '**/*.md'
 
+permissions:
+  contents: read
+  actions: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/tests_e2e_ios.yml b/.github/workflows/tests_e2e_ios.yml
@@ -27,6 +27,10 @@ on:
       - '.spellcheck.dict.txt'
       - '**/*.md'
 
+permissions:
+  contents: read
+  actions: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/tests_e2e_other.yml b/.github/workflows/tests_e2e_other.yml
@@ -27,6 +27,10 @@ on:
       - '.spellcheck.dict.txt'
       - '**/*.md'
 
+permissions:
+  contents: read
+  actions: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/tests_jest.yml b/.github/workflows/tests_jest.yml
@@ -19,6 +19,10 @@ on:
       - '.spellcheck.dict.txt'
       - '**/*.md'
 
+permissions:
+  contents: read
+  actions: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
