From 60b94c6a3ed915e5ec1fe610d724057ce0b233e1 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Mon, 2 Mar 2026 16:04:19 -0800
Subject: [PATCH] Add least-privilege permissions to triage workflow

Add explicit permissions: block (pull-requests: write, issues: write) to
constrain GITHUB_TOKEN scope on pull_request_target trigger.

Ref: https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/triage.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
index f1363a4b8..5203ce171 100644
--- a/.github/workflows/triage.yml
+++ b/.github/workflows/triage.yml
@@ -10,6 +10,10 @@ on:
       - opened
       - reopened
 
+permissions:
+  pull-requests: write
+  issues: write
+
 jobs:
   triage:
     uses: smallstep/workflows/.github/workflows/triage.yml@main