From 71e9d54105d4f94bbbfc7cbe4a286af9326311e5 Mon Sep 17 00:00:00 2001
From: Franck Nijhof <git@frenck.dev>
Date: Sun, 15 Feb 2026 11:21:46 +0100
Subject: [PATCH] CI security hardening: restrict permissions in stale workflow
 (#163049)

---
 .github/workflows/stale.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index f1e627fa38c..c8eb41d0850 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -6,10 +6,15 @@ on:
     - cron: "0 * * * *"
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   stale:
     if: github.repository_owner == 'home-assistant'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       # The 60 day stale policy for PRs
       # Used for: