From 7af63460ea11cdc95f6ed266fb9ae0375d2342cd Mon Sep 17 00:00:00 2001
From: Franck Nijhof <git@frenck.dev>
Date: Sun, 15 Feb 2026 11:22:25 +0100
Subject: [PATCH] CI security hardening: restrict permissions in
 restrict-task-creation workflow (#163051)

---
 .github/workflows/restrict-task-creation.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/restrict-task-creation.yml b/.github/workflows/restrict-task-creation.yml
index 1b78cae3e0f..fdbe5c65635 100644
--- a/.github/workflows/restrict-task-creation.yml
+++ b/.github/workflows/restrict-task-creation.yml
@@ -5,9 +5,14 @@ on:
   issues:
     types: [opened]
 
+permissions: {}
+
 jobs:
   check-authorization:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     # Only run if this is a Task issue type (from the issue form)
     if: github.event.issue.type.name == 'Task'
     steps: