From ee6568771caa38e0405aecee1f2a0b3af165c63c Mon Sep 17 00:00:00 2001
From: ReenigneArcher <42013603+ReenigneArcher@users.noreply.github.com>
Date: Fri, 13 Feb 2026 17:15:17 -0500
Subject: [PATCH] ci: scope workflow permissions to jobs

---
 .github/workflows/issue_labeler.yml          |  5 ++---
 .github/workflows/top_issues.yml             |  7 ++++---
 .github/workflows/update_issue_templates.yml | 11 +++--------
 3 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/issue_labeler.yml b/.github/workflows/issue_labeler.yml
index 6ea509f..0cb9ebd 100644
--- a/.github/workflows/issue_labeler.yml
+++ b/.github/workflows/issue_labeler.yml
@@ -1,7 +1,6 @@
 ---
 name: Issue labeler
-permissions:
-  contents: read
+permissions: {}
 
 on:
   issues:
@@ -14,7 +13,7 @@ jobs:
   label-component:
     runs-on: ubuntu-latest
     permissions:
-      issues: write
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
diff --git a/.github/workflows/top_issues.yml b/.github/workflows/top_issues.yml
index 96a949d..13e1bf5 100644
--- a/.github/workflows/top_issues.yml
+++ b/.github/workflows/top_issues.yml
@@ -1,5 +1,6 @@
 ---
 name: Top issues
+permissions: {}
 
 on:
   schedule:
@@ -10,13 +11,13 @@ concurrency:
   group: 'top-issues'
   cancel-in-progress: true
 
-permissions:
-  contents: read
-  issues: write
 
 jobs:
   top-issues:
     name: Top issues
+    permissions:
+      contents: read
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - name: Top issues action
diff --git a/.github/workflows/update_issue_templates.yml b/.github/workflows/update_issue_templates.yml
index ac62c4e..7a787fe 100644
--- a/.github/workflows/update_issue_templates.yml
+++ b/.github/workflows/update_issue_templates.yml
@@ -1,7 +1,6 @@
 ---
 name: Update Repositories List in Roadmap
-permissions:
-  contents: read
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -13,12 +12,6 @@ on:
   schedule:
     - cron: '0 0 * * *'
   pull_request:
-    branches:
-      - master
-    types:
-      - opened
-      - reopened
-      - synchronize
   push:
     branches:
       - master
@@ -26,6 +19,8 @@ on:
 jobs:
   update-repositories:
     name: Update Repository List
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout