From ab693a926f13cc2c4c4a3ab19d5405471f87236b Mon Sep 17 00:00:00 2001
From: lauren <poteto@users.noreply.github.com>
Date: Fri, 21 Mar 2025 14:40:55 -0400
Subject: [PATCH] [ci] Scope permissions for all workflows (#32704)

---
 .github/workflows/compiler_discord_notify.yml             | 2 ++
 .github/workflows/compiler_playground.yml                 | 2 ++
 .github/workflows/compiler_prereleases.yml                | 3 ++-
 .github/workflows/compiler_prereleases_manual.yml         | 2 ++
 .github/workflows/compiler_prereleases_nightly.yml        | 2 ++
 .github/workflows/compiler_prereleases_weekly.yml         | 2 ++
 .github/workflows/compiler_typescript.yml                 | 2 ++
 .github/workflows/devtools_regression_tests.yml           | 5 +++++
 .github/workflows/runtime_build_and_test.yml              | 5 +++++
 .github/workflows/runtime_discord_notify.yml              | 2 ++
 .github/workflows/runtime_eslint_plugin_e2e.yml           | 2 ++
 .github/workflows/runtime_fuzz_tests.yml                  | 2 ++
 .github/workflows/runtime_prereleases.yml                 | 3 ++-
 .github/workflows/runtime_prereleases_manual.yml          | 2 ++
 .github/workflows/runtime_prereleases_nightly.yml         | 2 ++
 .github/workflows/runtime_releases_from_npm_manual.yml    | 3 ++-
 .github/workflows/shared_check_maintainer.yml             | 5 +++++
 .github/workflows/shared_cleanup_merged_branch_caches.yml | 2 ++
 .github/workflows/shared_cleanup_stale_branch_caches.yml  | 2 ++
 .github/workflows/shared_close_direct_sync_branch_prs.yml | 2 ++
 .github/workflows/shared_label_core_team_prs.yml          | 2 ++
 .github/workflows/shared_lint.yml                         | 2 ++
 .github/workflows/shared_stale.yml                        | 2 ++
 23 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/compiler_discord_notify.yml b/.github/workflows/compiler_discord_notify.yml
index 5b46d0f876..ca7feaae50 100644
--- a/.github/workflows/compiler_discord_notify.yml
+++ b/.github/workflows/compiler_discord_notify.yml
@@ -7,6 +7,8 @@ on:
       - compiler/**
       - .github/workflows/compiler_**.yml
 
+permissions: {}
+
 jobs:
   check_maintainer:
     uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main
diff --git a/.github/workflows/compiler_playground.yml b/.github/workflows/compiler_playground.yml
index 224c82e6de..edd95e365e 100644
--- a/.github/workflows/compiler_playground.yml
+++ b/.github/workflows/compiler_playground.yml
@@ -8,6 +8,8 @@ on:
       - compiler/**
       - .github/workflows/compiler_playground.yml
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/compiler_prereleases.yml b/.github/workflows/compiler_prereleases.yml
index 5a3122d0ed..7928bd430e 100644
--- a/.github/workflows/compiler_prereleases.yml
+++ b/.github/workflows/compiler_prereleases.yml
@@ -20,11 +20,12 @@ on:
       NPM_TOKEN:
         required: true
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
   # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout
   SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
-  GH_TOKEN: ${{ github.token }}
   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
 defaults:
diff --git a/.github/workflows/compiler_prereleases_manual.yml b/.github/workflows/compiler_prereleases_manual.yml
index 3e42ae2cf2..4960489590 100644
--- a/.github/workflows/compiler_prereleases_manual.yml
+++ b/.github/workflows/compiler_prereleases_manual.yml
@@ -15,6 +15,8 @@ on:
         required: true
         type: string
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
 
diff --git a/.github/workflows/compiler_prereleases_nightly.yml b/.github/workflows/compiler_prereleases_nightly.yml
index 82f893aa5e..07919d7843 100644
--- a/.github/workflows/compiler_prereleases_nightly.yml
+++ b/.github/workflows/compiler_prereleases_nightly.yml
@@ -5,6 +5,8 @@ on:
     # At 10 minutes past 16:00 on Mon, Tue, Wed, Thu, and Fri
     - cron: 10 16 * * 1,2,3,4,5
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
 
diff --git a/.github/workflows/compiler_prereleases_weekly.yml b/.github/workflows/compiler_prereleases_weekly.yml
index 79a9451b69..72af00d521 100644
--- a/.github/workflows/compiler_prereleases_weekly.yml
+++ b/.github/workflows/compiler_prereleases_weekly.yml
@@ -5,6 +5,8 @@ on:
     # At 10 minutes past 9:00 on Mon
     - cron: 10 9 * * 1
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
 
diff --git a/.github/workflows/compiler_typescript.yml b/.github/workflows/compiler_typescript.yml
index 1ce668de04..9c749a3bfb 100644
--- a/.github/workflows/compiler_typescript.yml
+++ b/.github/workflows/compiler_typescript.yml
@@ -8,6 +8,8 @@ on:
       - compiler/**
       - .github/workflows/compiler_typescript.yml
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/devtools_regression_tests.yml b/.github/workflows/devtools_regression_tests.yml
index 399772cf83..cb6a5b68a8 100644
--- a/.github/workflows/devtools_regression_tests.yml
+++ b/.github/workflows/devtools_regression_tests.yml
@@ -9,6 +9,8 @@ on:
         required: false
         type: string
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
   # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout
@@ -18,6 +20,9 @@ jobs:
   download_build:
     name: Download base build
     runs-on: ubuntu-latest
+    permissions:
+      # We use github.token to download the build artifact from a previous runtime_build_and_test.yml run
+      actions: read
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
diff --git a/.github/workflows/runtime_build_and_test.yml b/.github/workflows/runtime_build_and_test.yml
index 3fc608e01c..343c32724e 100644
--- a/.github/workflows/runtime_build_and_test.yml
+++ b/.github/workflows/runtime_build_and_test.yml
@@ -7,6 +7,8 @@ on:
     paths-ignore:
       - compiler/**
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
@@ -768,6 +770,9 @@ jobs:
     if: ${{ github.event_name == 'pull_request' && github.ref_name != 'main' && github.event.pull_request.base.ref == 'main' }}
     name: Run sizebot
     needs: [build_and_lint]
+    permissions:
+      # We use github.token to download the build artifact from a previous runtime_build_and_test.yml run
+      actions: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/runtime_discord_notify.yml b/.github/workflows/runtime_discord_notify.yml
index f2be08f904..c6da99646c 100644
--- a/.github/workflows/runtime_discord_notify.yml
+++ b/.github/workflows/runtime_discord_notify.yml
@@ -7,6 +7,8 @@ on:
       - compiler/**
       - .github/workflows/compiler_**.yml
 
+permissions: {}
+
 jobs:
   check_maintainer:
     uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main
diff --git a/.github/workflows/runtime_eslint_plugin_e2e.yml b/.github/workflows/runtime_eslint_plugin_e2e.yml
index c75f998e8c..9b3d134204 100644
--- a/.github/workflows/runtime_eslint_plugin_e2e.yml
+++ b/.github/workflows/runtime_eslint_plugin_e2e.yml
@@ -7,6 +7,8 @@ on:
     paths-ignore:
       - compiler/**
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/runtime_fuzz_tests.yml b/.github/workflows/runtime_fuzz_tests.yml
index 66ddba318f..a88ce523a6 100644
--- a/.github/workflows/runtime_fuzz_tests.yml
+++ b/.github/workflows/runtime_fuzz_tests.yml
@@ -8,6 +8,8 @@ on:
       - main
   workflow_dispatch:
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
 
diff --git a/.github/workflows/runtime_prereleases.yml b/.github/workflows/runtime_prereleases.yml
index 4e1f8c21ca..147ec0a496 100644
--- a/.github/workflows/runtime_prereleases.yml
+++ b/.github/workflows/runtime_prereleases.yml
@@ -17,11 +17,12 @@ on:
       NPM_TOKEN:
         required: true
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
   # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout
   SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
-  GH_TOKEN: ${{ github.token }}
   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
 jobs:
diff --git a/.github/workflows/runtime_prereleases_manual.yml b/.github/workflows/runtime_prereleases_manual.yml
index 4c25ddc79b..77d3fd5e43 100644
--- a/.github/workflows/runtime_prereleases_manual.yml
+++ b/.github/workflows/runtime_prereleases_manual.yml
@@ -6,6 +6,8 @@ on:
       prerelease_commit_sha:
         required: true
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
 
diff --git a/.github/workflows/runtime_prereleases_nightly.yml b/.github/workflows/runtime_prereleases_nightly.yml
index fe038042f3..4622e15f55 100644
--- a/.github/workflows/runtime_prereleases_nightly.yml
+++ b/.github/workflows/runtime_prereleases_nightly.yml
@@ -5,6 +5,8 @@ on:
     # At 10 minutes past 16:00 on Mon, Tue, Wed, Thu, and Fri
     - cron: 10 16 * * 1,2,3,4,5
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
 
diff --git a/.github/workflows/runtime_releases_from_npm_manual.yml b/.github/workflows/runtime_releases_from_npm_manual.yml
index 58972d8a88..4bc3957486 100644
--- a/.github/workflows/runtime_releases_from_npm_manual.yml
+++ b/.github/workflows/runtime_releases_from_npm_manual.yml
@@ -31,11 +31,12 @@ on:
         type: boolean
         default: false
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
   # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout
   SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
-  GH_TOKEN: ${{ github.token }}
   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
 jobs:
diff --git a/.github/workflows/shared_check_maintainer.yml b/.github/workflows/shared_check_maintainer.yml
index c20047d600..3bc1ad1e23 100644
--- a/.github/workflows/shared_check_maintainer.yml
+++ b/.github/workflows/shared_check_maintainer.yml
@@ -14,6 +14,8 @@ on:
       is_core_team:
         value: ${{ jobs.check_maintainer.outputs.is_core_team }}
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
   # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout
@@ -22,6 +24,9 @@ env:
 jobs:
   check_maintainer:
     runs-on: ubuntu-latest
+    permissions:
+      # We fetch the contents of the MAINTAINERS file
+      contents: read
     outputs:
       is_core_team: ${{ steps.check_if_actor_is_maintainer.outputs.result }}
     steps:
diff --git a/.github/workflows/shared_cleanup_merged_branch_caches.yml b/.github/workflows/shared_cleanup_merged_branch_caches.yml
index 730eda3623..ed80a505e4 100644
--- a/.github/workflows/shared_cleanup_merged_branch_caches.yml
+++ b/.github/workflows/shared_cleanup_merged_branch_caches.yml
@@ -11,6 +11,8 @@ on:
         required: true
         type: string
 
+permissions: {}
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/shared_cleanup_stale_branch_caches.yml b/.github/workflows/shared_cleanup_stale_branch_caches.yml
index e480a8ae10..a6d50a7992 100644
--- a/.github/workflows/shared_cleanup_stale_branch_caches.yml
+++ b/.github/workflows/shared_cleanup_stale_branch_caches.yml
@@ -6,6 +6,8 @@ on:
     - cron: 0 0 * * *
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/shared_close_direct_sync_branch_prs.yml b/.github/workflows/shared_close_direct_sync_branch_prs.yml
index 7575c0e913..abf8db919f 100644
--- a/.github/workflows/shared_close_direct_sync_branch_prs.yml
+++ b/.github/workflows/shared_close_direct_sync_branch_prs.yml
@@ -5,6 +5,8 @@ on:
     branches:
       - 'builds/facebook-**'
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
   # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout
diff --git a/.github/workflows/shared_label_core_team_prs.yml b/.github/workflows/shared_label_core_team_prs.yml
index dc432b54f7..9b9e6149ed 100644
--- a/.github/workflows/shared_label_core_team_prs.yml
+++ b/.github/workflows/shared_label_core_team_prs.yml
@@ -3,6 +3,8 @@ name: (Shared) Label Core Team PRs
 on:
   pull_request_target:
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles
   # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout
diff --git a/.github/workflows/shared_lint.yml b/.github/workflows/shared_lint.yml
index f9d1e7972c..e14e9a252b 100644
--- a/.github/workflows/shared_lint.yml
+++ b/.github/workflows/shared_lint.yml
@@ -5,6 +5,8 @@ on:
     branches: [main]
   pull_request:
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/shared_stale.yml b/.github/workflows/shared_stale.yml
index 8d505e856e..a2c707973c 100644
--- a/.github/workflows/shared_stale.yml
+++ b/.github/workflows/shared_stale.yml
@@ -6,6 +6,8 @@ on:
     - cron: '0 * * * *'
   workflow_dispatch:
 
+permissions: {}
+
 env:
   TZ: /usr/share/zoneinfo/America/Los_Angeles