From fd3c6af4d4e87c0e26c1861651224ef40976b6e1 Mon Sep 17 00:00:00 2001
From: Bryce Boe <bbzbryce@gmail.com>
Date: Mon, 15 Jun 2026 10:08:00 -0700
Subject: [PATCH 1/2] Scope GITHUB_TOKEN permissions to jobs in stale_action
 and tag_release

---
 .github/workflows/stale_action.yml | 7 ++++---
 .github/workflows/tag_release.yml  | 5 +++--
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/stale_action.yml b/.github/workflows/stale_action.yml
index 6f955ad..4909e0c 100644
--- a/.github/workflows/stale_action.yml
+++ b/.github/workflows/stale_action.yml
@@ -4,6 +4,9 @@ env:
   stale-close-label: Auto-closed - Stale
 jobs:
   stale:
+    permissions:
+      issues: write # required to comment on and close stale issues
+      pull-requests: write # required to comment on and close stale PRs
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
@@ -29,6 +32,4 @@ jobs:
             Remove the Stale label or comment or this will be closed in ${{ env.days-before-close }} days.
 name: Close stale issues and PRs
 on: workflow_call
-permissions:
-  issues: write
-  pull-requests: write
+permissions: {}
diff --git a/.github/workflows/tag_release.yml b/.github/workflows/tag_release.yml
index 9e10f6e..45c55c5 100644
--- a/.github/workflows/tag_release.yml
+++ b/.github/workflows/tag_release.yml
@@ -2,6 +2,8 @@ jobs:
   release_tag:
     if: "startsWith(github.event.head_commit.message, 'Merge pull request #') && contains(github.event.head_commit.message, format(' from {0}/prepare_release_v', github.repository_owner))"
     name: Tag Release
+    permissions:
+      contents: write # required to create the draft GitHub release
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -32,5 +34,4 @@ jobs:
           gh release create "v$version" "${args[@]}"
 name: Tag Release
 on: workflow_call
-permissions:
-  contents: write
+permissions: {}

From b25ed5cb25f1cf6621ec2eb101f9e7ea45460767 Mon Sep 17 00:00:00 2001
From: Bryce Boe <bbzbryce@gmail.com>
Date: Mon, 15 Jun 2026 10:08:01 -0700
Subject: [PATCH 2/2] Make lint workflow reusable via workflow_call

---
 .github/workflows/lint.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 8b85331..95e9086 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -26,5 +26,6 @@ on:
   pull_request:
   push:
     branches: [main]
+  workflow_call:
 permissions:
   contents: read