From 63685cc4db528f54a727ba2284e7a467e33e5779 Mon Sep 17 00:00:00 2001
From: svonava <svonava@gmail.com>
Date: Tue, 14 Apr 2026 18:39:33 -0700
Subject: [PATCH] ci: scope sie-web-sync-bot token to contents:write +
 metadata:read

---
 .github/workflows/notify-sie-web-vdb.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/notify-sie-web-vdb.yml b/.github/workflows/notify-sie-web-vdb.yml
index 7626ef50..d577e3ad 100644
--- a/.github/workflows/notify-sie-web-vdb.yml
+++ b/.github/workflows/notify-sie-web-vdb.yml
@@ -5,7 +5,8 @@ name: Notify sie-web (VDB data updated)
 # sync-vdb-data workflow pulls the new data.
 #
 # Uses the sie-web-sync-bot GitHub App installation token — the default
-# GITHUB_TOKEN cannot dispatch events into another repository.
+# GITHUB_TOKEN cannot dispatch events into another repository. Token is
+# scoped to the minimum permissions needed to call POST /repos/.../dispatches.
 
 on:
   push:
@@ -29,6 +30,8 @@ jobs:
           private-key: ${{ secrets.SYNC_APP_PRIVATE_KEY }}
           owner: superlinked
           repositories: sie-web
+          permission-contents: write
+          permission-metadata: read
 
       - name: Fire repository_dispatch on sie-web
         env: