From 711317c7017a9a992864066fb10f06a5e21ec05e Mon Sep 17 00:00:00 2001
From: Albert Mavashev <amavashev@k2n.io>
Date: Sat, 2 May 2026 16:44:37 -0400
Subject: [PATCH] ops: tighten workflow token permissions

Same pattern as runcycles/cycles-server#144. Rewrites the canonical
dependabot-auto-merge.yml top-level write block into top-level read-all
+ per-job writes. Addresses Token-Permissions criterion from OpenSSF
Scorecard.
---
 .github/workflows/dependabot-auto-merge.yml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 9569b47..6ad171c 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -2,14 +2,18 @@ name: Dependabot auto-merge
 
 on: pull_request
 
-permissions:
-  contents: write
-  pull-requests: write
+# Default to read-all at top level; the automerge job below escalates only the
+# narrow scopes it actually needs. Per OpenSSF Scorecard's Token-Permissions
+# criterion: avoid blanket write at the workflow level.
+permissions: read-all
 
 jobs:
   automerge:
     runs-on: ubuntu-latest
     if: github.event.pull_request.user.login == 'dependabot[bot]'
+    permissions:
+      contents: write          # required to enable auto-merge
+      pull-requests: write     # required to mark the PR as auto-merge
     steps:
       - name: Fetch Dependabot metadata
         id: meta