ci: update WELCOME-NEW-USERS workflow from global .github repo

microcks-bot · microcks-bot · commit 44d134c3d8d6 · 2026-03-25T16:45:34.000Z
Signed-off-by: microcks-bot &lt;info@microcks.io&gt;
diff --git a/.github/workflows/welcome-new-users.yml b/.github/workflows/welcome-new-users.yml
@@ -11,6 +11,9 @@ on:
   pull_request:
     types: [opened, closed]
 
+# Explicitly disable all default GITHUB_TOKEN permissions at the workflow level.
+# Each job then declares only the minimal required permissions (principle of least privilege),
+# e.g., `issues: write` for posting comments. This improves security, especially for PRs from forks.
 permissions: {}
 
 jobs:
@@ -46,7 +49,7 @@ jobs:
     if: github.event_name == 'pull_request' && github.event.action == 'opened'
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      issues: write
     steps:
       - uses: wow-actions/welcome@68019c2c271561f63162fea75bb7707ef8a02c85 # To pin v1.3.1
         with:
@@ -64,7 +67,7 @@ jobs:
     if: github.event_name == 'pull_request' && github.event.action == 'closed' && github.event.pull_request.merged == true
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      issues: write
     steps:
       - uses: wow-actions/welcome@68019c2c271561f63162fea75bb7707ef8a02c85 # To pin v1.3.1
         with:
