From 07dcc2eae0d4c9595e959548503e65995eff9eba Mon Sep 17 00:00:00 2001
From: Franck Nijhof <git@frenck.dev>
Date: Sun, 15 Feb 2026 16:33:23 +0100
Subject: [PATCH] CI security hardening: restrict permissions in AI issue
 detection workflows (#163068)

---
 .github/workflows/detect-duplicate-issues.yml   | 7 ++++---
 .github/workflows/detect-non-english-issues.yml | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/detect-duplicate-issues.yml b/.github/workflows/detect-duplicate-issues.yml
index e8e1c8f4a97..81e82875709 100644
--- a/.github/workflows/detect-duplicate-issues.yml
+++ b/.github/workflows/detect-duplicate-issues.yml
@@ -5,13 +5,14 @@ on:
   issues:
     types: [labeled]
 
-permissions:
-  issues: write
-  models: read
+permissions: {}
 
 jobs:
   detect-duplicates:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      models: read
 
     steps:
       - name: Check if integration label was added and extract details
diff --git a/.github/workflows/detect-non-english-issues.yml b/.github/workflows/detect-non-english-issues.yml
index 0d15d793a3b..34e5be2e906 100644
--- a/.github/workflows/detect-non-english-issues.yml
+++ b/.github/workflows/detect-non-english-issues.yml
@@ -5,13 +5,14 @@ on:
   issues:
     types: [opened]
 
-permissions:
-  issues: write
-  models: read
+permissions: {}
 
 jobs:
   detect-language:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      models: read
 
     steps:
       - name: Check issue language