From b13c95032800b76587e43c31d89d7963c6edc0cd Mon Sep 17 00:00:00 2001
From: Andy Pixley <3723676+pixman20@users.noreply.github.com>
Date: Fri, 20 Jun 2025 12:15:38 -0400
Subject: [PATCH] [BRE-848] Adding Workflow Permissions (#5985)

---
 .github/workflows/enforce-labels.yml | 3 +++
 .github/workflows/protect-files.yml  | 3 +++
 .github/workflows/stale-bot.yml      | 5 +++++
 .github/workflows/test-database.yml  | 7 +++++++
 4 files changed, 18 insertions(+)

diff --git a/.github/workflows/enforce-labels.yml b/.github/workflows/enforce-labels.yml
index 11d5654937..353127c751 100644
--- a/.github/workflows/enforce-labels.yml
+++ b/.github/workflows/enforce-labels.yml
@@ -4,6 +4,9 @@ on:
   workflow_call:
   pull_request:
     types: [labeled, unlabeled, opened, reopened, synchronize]
+
+permissions: {}
+
 jobs:
   enforce-label:
     if: ${{ contains(github.event.*.labels.*.name, 'hold') || contains(github.event.*.labels.*.name, 'needs-qa') || contains(github.event.*.labels.*.name, 'DB-migrations-changed') || contains(github.event.*.labels.*.name, 'ephemeral-environment') }}
diff --git a/.github/workflows/protect-files.yml b/.github/workflows/protect-files.yml
index 89d6d4c6d9..546b8344a6 100644
--- a/.github/workflows/protect-files.yml
+++ b/.github/workflows/protect-files.yml
@@ -16,6 +16,9 @@ jobs:
   changed-files:
     name: Check for file changes
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: write
     outputs:
       changes: ${{steps.check-changes.outputs.changes_detected}}
 
diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml
index 9420f71cb3..83d492645e 100644
--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@@ -8,6 +8,11 @@ jobs:
   stale:
     name: Check for stale issues and PRs
     runs-on: ubuntu-22.04
+    permissions:
+      actions: write
+      contents: read
+      issues: write
+      pull-requests: write
     steps:
       - name: Check
         uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
diff --git a/.github/workflows/test-database.yml b/.github/workflows/test-database.yml
index 26db5ea0a4..23722e2e8d 100644
--- a/.github/workflows/test-database.yml
+++ b/.github/workflows/test-database.yml
@@ -31,10 +31,17 @@ on:
       - "test/Infrastructure.IntegrationTest/**" # Any changes to the tests
       - "src/**/Entities/**/*.cs" # Database entity definitions
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Run tests
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      actions: read
+      checks: write
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2