From fbfe779d2470149f64863d56833b50b440d5f4cd Mon Sep 17 00:00:00 2001
From: GAdityaVarma <agottumu@progress.com>
Date: Wed, 8 Apr 2026 14:23:35 +0530
Subject: [PATCH] SECCMP-1797: Downgrade contents permission from write to read

The copyright-check reusable workflow only needs contents: read
to checkout code. contents: write was unnecessarily granting the
workflow token write access to repository contents, which expands
the blast radius of any PwnRequest-style attack.

The called workflow (copyright-check.yml) already declares its own
permissions block with contents: read.
---
 .github/workflows/pr-workflow.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pr-workflow.yaml b/.github/workflows/pr-workflow.yaml
index 4562e18d6..9165227c1 100644
--- a/.github/workflows/pr-workflow.yaml
+++ b/.github/workflows/pr-workflow.yaml
@@ -18,6 +18,6 @@ jobs:
     name: © Validate Copyright Headers
     uses: marklogic/pr-workflows/.github/workflows/copyright-check.yml@main
     permissions:
-      contents: write
+      contents: read
       pull-requests: write
       issues: write