From 5a3182c88d81cf84a48dfcb530ab6008f1c6ea1f Mon Sep 17 00:00:00 2001
From: Kent Gruber <kent.gruber@temporal.io>
Date: Wed, 29 Oct 2025 14:50:54 -0400
Subject: [PATCH] Set explicit permissions for GitHub Actions workflows

This change was made by an automated process to ensure all GitHub Actions workflows have explicitly defined permissions as per best practices.
---
 .github/workflows/chromatic.yml                  | 5 +++++
 .github/workflows/lint-and-test.yml              | 3 +++
 .github/workflows/playwright.yml                 | 3 +++
 .github/workflows/test.yml                       | 3 +++
 .github/workflows/trigger-downstream-updates.yml | 3 +++
 5 files changed, 17 insertions(+)

diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml
index 6ea7ec866b..57aa5898af 100644
--- a/.github/workflows/chromatic.yml
+++ b/.github/workflows/chromatic.yml
@@ -6,6 +6,11 @@ on:
   pull_request_target:
     branches: [main, 'codefreeze-*']
 
+permissions:
+  contents: read
+  pull-requests: write
+  statuses: write
+
 jobs:
   chromatic:
     name: Run Chromatic
diff --git a/.github/workflows/lint-and-test.yml b/.github/workflows/lint-and-test.yml
index b050f5df95..bcc5eb516e 100644
--- a/.github/workflows/lint-and-test.yml
+++ b/.github/workflows/lint-and-test.yml
@@ -11,6 +11,9 @@ on:
       - 'LICENSE'
       - 'CODEOWNERS'
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml
index 30b2643132..d6170cf31a 100644
--- a/.github/workflows/playwright.yml
+++ b/.github/workflows/playwright.yml
@@ -11,6 +11,9 @@ on:
       - 'LICENSE'
       - 'CODEOWNERS'
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 4db5a29123..f0b3a851bd 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main, 'codefreeze-*']
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/trigger-downstream-updates.yml b/.github/workflows/trigger-downstream-updates.yml
index f557df7bc6..a78984de12 100644
--- a/.github/workflows/trigger-downstream-updates.yml
+++ b/.github/workflows/trigger-downstream-updates.yml
@@ -16,6 +16,9 @@ on:
         required: false
         default: ''
 
+permissions:
+  contents: read
+
 jobs:
   trigger-updates:
     runs-on: ubuntu-latest