From ed104a9297b5b8867166ccf344c901f5ae00a898 Mon Sep 17 00:00:00 2001
From: Musa Jundi <musa@cloudflare.com>
Date: Thu, 21 May 2026 16:55:08 -0500
Subject: [PATCH] ci: per-job permissions for publish-pypi, release-doctor,
 sync-labels, semgrep

- publish-pypi: contents: read -- publish step uses PYPI_TOKEN, not
  GITHUB_TOKEN.
- release-doctor: contents: read -- only runs a local sanity-check
  script.
- sync-labels: issues: write -- micnncim/action-label-syncer manages
  repo labels via GITHUB_TOKEN.
- semgrep: contents: read -- only checks out code and runs semgrep ci.

Matches the per-job permissions style already used in ci.yml and
detect-breaking-changes.yml.

Co-authored-by: arpitjain099 <arpitjain099@gmail.com>
---
 .github/workflows/publish-pypi.yml   | 2 ++
 .github/workflows/release-doctor.yml | 2 ++
 .github/workflows/semgrep.yml        | 2 ++
 .github/workflows/sync-labels.yml    | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
index 5d3e356c4f2..8631c071446 100644
--- a/.github/workflows/publish-pypi.yml
+++ b/.github/workflows/publish-pypi.yml
@@ -11,6 +11,8 @@ on:
 jobs:
   publish:
     name: publish
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/release-doctor.yml b/.github/workflows/release-doctor.yml
index 41be236b980..2966355f4f3 100644
--- a/.github/workflows/release-doctor.yml
+++ b/.github/workflows/release-doctor.yml
@@ -13,6 +13,8 @@ concurrency:
 jobs:
   release_doctor:
     name: release doctor
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 2
     if: github.repository == 'cloudflare/cloudflare-python' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || startsWith(github.head_ref, 'release-please') || github.head_ref == 'next')
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index 4fdad87e311..b7edd0d6ad7 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -6,6 +6,8 @@ name: Semgrep config
 jobs:
   semgrep:
     name: semgrep/ci
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     env:
       SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index 883eebba725..d5102f68719 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -8,6 +8,8 @@ on:
       - .github/labels.yml
 jobs:
   build:
+    permissions:
+      issues: write   # action-label-syncer creates/updates repo labels
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2