From 7dba12343f51886218ff6cd564431c87d6264850 Mon Sep 17 00:00:00 2001
From: Xiao Xufeng <xiaoxufeng@espressif.com>
Date: Mon, 23 Mar 2026 20:58:39 +0800
Subject: [PATCH] ci(github): update workflow permission

---
 .github/workflows/docker.yml        | 3 +++
 .github/workflows/issue_comment.yml | 4 ++++
 .github/workflows/new_issues.yml    | 3 +++
 .github/workflows/new_prs.yml       | 3 +++
 .github/workflows/pr_approved.yml   | 4 ++++
 .github/workflows/release_zips.yml  | 3 +++
 6 files changed, 20 insertions(+)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 60c0e4a913..d811d2221c 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,5 +1,8 @@
 name: docker
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 
diff --git a/.github/workflows/issue_comment.yml b/.github/workflows/issue_comment.yml
index f78a699082..ee9a1be86e 100644
--- a/.github/workflows/issue_comment.yml
+++ b/.github/workflows/issue_comment.yml
@@ -1,5 +1,9 @@
 name: Sync issue comments to JIRA
 
+permissions:
+  issues: write
+  pull-requests: write
+
 # This workflow will be triggered when new issue comment is created (including PR comments)
 on: issue_comment
 
diff --git a/.github/workflows/new_issues.yml b/.github/workflows/new_issues.yml
index 7a8879a42a..61e4a2593c 100644
--- a/.github/workflows/new_issues.yml
+++ b/.github/workflows/new_issues.yml
@@ -1,5 +1,8 @@
 name: Sync issues to Jira
 
+permissions:
+  issues: write
+
 # This workflow will be triggered when a new issue is opened
 on: issues
 
diff --git a/.github/workflows/new_prs.yml b/.github/workflows/new_prs.yml
index 3000aff80a..115dfad2a8 100644
--- a/.github/workflows/new_prs.yml
+++ b/.github/workflows/new_prs.yml
@@ -1,5 +1,8 @@
 name: Sync remain PRs to Jira
 
+permissions:
+  pull-requests: write
+
 # This workflow will be triggered every hour, to sync remaining PRs (i.e. PRs with zero comment) to Jira project
 # Note that, PRs can also get synced when new PR comment is created
 on:
diff --git a/.github/workflows/pr_approved.yml b/.github/workflows/pr_approved.yml
index a641a7e501..d2b37f6bf7 100644
--- a/.github/workflows/pr_approved.yml
+++ b/.github/workflows/pr_approved.yml
@@ -1,4 +1,8 @@
 name: Sync approved PRs to internal codebase
+
+permissions:
+  contents: read
+
 on:
   pull_request_target:
     types: [labeled]
diff --git a/.github/workflows/release_zips.yml b/.github/workflows/release_zips.yml
index bc2bf7b5c0..ec6bf6976a 100644
--- a/.github/workflows/release_zips.yml
+++ b/.github/workflows/release_zips.yml
@@ -1,5 +1,8 @@
 name: Create zip file with recursive source clone for release
 
+permissions:
+  contents: write
+
 on:
   push:
     tags: