From a21e41b89de43d133ccada61bf9d407a1147ed1b Mon Sep 17 00:00:00 2001
From: tecvan <84165678+Tecvan-fe@users.noreply.github.com>
Date: Fri, 8 Aug 2025 16:12:57 +0800
Subject: [PATCH] fix(ci): add missing workflow permissions to resolve security
 alerts (#646)

Co-authored-by: Claude <noreply@anthropic.com>
---
 .github/workflows/ci.yml                     | 4 ++++
 .github/workflows/ci@main.yml                | 4 ++++
 .github/workflows/common-pr-checks.yml       | 3 +++
 .github/workflows/idl.yaml                   | 3 +++
 .github/workflows/license-check.yaml         | 3 +++
 .github/workflows/semantic-pull-request.yaml | 3 +++
 6 files changed, 20 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 465d1ed5..28064342 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,6 +11,10 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   setup:
     strategy:
diff --git a/.github/workflows/ci@main.yml b/.github/workflows/ci@main.yml
index dcca9d63..6c74aa51 100644
--- a/.github/workflows/ci@main.yml
+++ b/.github/workflows/ci@main.yml
@@ -12,6 +12,10 @@ on:
       - 'rush.json'
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/common-pr-checks.yml b/.github/workflows/common-pr-checks.yml
index 6ae97857..9e44ce78 100644
--- a/.github/workflows/common-pr-checks.yml
+++ b/.github/workflows/common-pr-checks.yml
@@ -9,6 +9,9 @@ on:
       - 'rush.json'
     types: [opened, edited, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   common-checks:
     name: PR Common Checks
diff --git a/.github/workflows/idl.yaml b/.github/workflows/idl.yaml
index 807ce93b..b8fc3123 100644
--- a/.github/workflows/idl.yaml
+++ b/.github/workflows/idl.yaml
@@ -12,6 +12,9 @@ on:
       - 'idl/**'
       - '.github/workflows/idl.yaml'
 
+permissions:
+  contents: read
+
 jobs:
   validate-thrift:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/license-check.yaml b/.github/workflows/license-check.yaml
index c88c689a..5ec548e4 100644
--- a/.github/workflows/license-check.yaml
+++ b/.github/workflows/license-check.yaml
@@ -7,6 +7,9 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   license-check:
     name: License Check
diff --git a/.github/workflows/semantic-pull-request.yaml b/.github/workflows/semantic-pull-request.yaml
index 7ea45395..9f90ac27 100644
--- a/.github/workflows/semantic-pull-request.yaml
+++ b/.github/workflows/semantic-pull-request.yaml
@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.number }}
   cancel-in-progress: true
 
+permissions:
+  pull-requests: read
+
 jobs:
   main:
     name: Check Pull Request Title