From 9ed32e2c5e4d63f06e4438352cf014a3553d4613 Mon Sep 17 00:00:00 2001
From: GAdityaVarma <agottumu@progress.com>
Date: Wed, 8 Apr 2026 19:28:28 +0530
Subject: [PATCH] SECCMP-1797: Harden permissions - add top-level read, fix
 contents: write

Adds top-level permissions: contents: read to restrict the default
GITHUB_TOKEN. Also fixes the previous contents: write on the
copyright-validation job to contents: read.

This follows the principle of least privilege recommended in
GitHub's PwnRequest security guidance.
---
 .github/workflows/pr-workflow.yaml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/pr-workflow.yaml b/.github/workflows/pr-workflow.yaml
index 4562e18d6..c0275b1b2 100644
--- a/.github/workflows/pr-workflow.yaml
+++ b/.github/workflows/pr-workflow.yaml
@@ -1,23 +1,22 @@
 name: PR Workflow
 
 on:
-  # Using pull_request_target instead of pull_request to handle PRs from forks
   pull_request_target:
     types: [opened, edited, reopened, synchronize]
-    # No branch filtering - will run on all PRs
+
+permissions:
+  contents: read
 
 jobs:
   jira-pr-check:
     name: 🏷️ Validate JIRA ticket ID
-    # Use the reusable workflow from the central repository
     uses: marklogic/pr-workflows/.github/workflows/jira-id-check.yml@main
     with:
-      # Pass the PR title from the event context
       pr-title: ${{ github.event.pull_request.title }}
   copyright-validation:
     name: © Validate Copyright Headers
     uses: marklogic/pr-workflows/.github/workflows/copyright-check.yml@main
     permissions:
-      contents: write
+      contents: read
       pull-requests: write
       issues: write