diff --git a/agentic/ci-doctor.md b/agentic/ci-doctor.md index fdf20dd..f2e4e69 100644 --- a/agentic/ci-doctor.md +++ b/agentic/ci-doctor.md @@ -17,9 +17,11 @@ on: # Only trigger for failures - check in the workflow body if: ${{ github.event.workflow_run.conclusion == 'failure' }} -permissions: read-all - -network: defaults +permissions: + contents: read + actions: read + issues: read + checks: read safe-outputs: create-issue: diff --git a/agentic/code-simplifier.md b/agentic/code-simplifier.md index ba2829a..00dff18 100644 --- a/agentic/code-simplifier.md +++ b/agentic/code-simplifier.md @@ -14,7 +14,10 @@ network: - rust - java -permissions: read-all +permissions: + contents: read + pull-requests: read + issues: read tracker-id: code-simplifier diff --git a/agentic/daily-doc-updater.md b/agentic/daily-doc-updater.md index c6a771e..0c49a16 100644 --- a/agentic/daily-doc-updater.md +++ b/agentic/daily-doc-updater.md @@ -22,8 +22,6 @@ permissions: tools: github: toolsets: [default] - edit: - bash: true timeout-minutes: 30 diff --git a/agentic/daily-repo-status.md b/agentic/daily-repo-status.md index a5be7ec..38ab866 100644 --- a/agentic/daily-repo-status.md +++ b/agentic/daily-repo-status.md @@ -15,8 +15,6 @@ permissions: issues: read pull-requests: read -network: defaults - tools: github: # If in a public repo, setting `lockdown: false` allows diff --git a/agentic/daily-team-status.md b/agentic/daily-team-status.md index 5a50194..ae101d4 100644 --- a/agentic/daily-team-status.md +++ b/agentic/daily-team-status.md @@ -16,8 +16,6 @@ permissions: issues: read pull-requests: read -network: defaults - tools: github: min-integrity: none # This workflow is allowed to examine and comment on any issues diff --git a/agentic/daily-test-improver.md b/agentic/daily-test-improver.md index 68fc5d8..4238afc 100644 --- a/agentic/daily-test-improver.md +++ b/agentic/daily-test-improver.md @@ -20,7 +20,14 @@ on: timeout-minutes: 30 -permissions: read-all +permissions: + contents: read + issues: read + pull-requests: read + checks: read + actions: read + discussions: read + security-events: read network: allowed: @@ -57,7 +64,6 @@ safe-outputs: tools: web-fetch: - bash: true github: toolsets: [all] repo-memory: true diff --git a/agentic/issue-triage.md b/agentic/issue-triage.md index 0363e33..49c33d6 100644 --- a/agentic/issue-triage.md +++ b/agentic/issue-triage.md @@ -12,9 +12,9 @@ on: types: [opened, reopened] reaction: eyes -permissions: read-all - -network: defaults +permissions: + contents: read + issues: read safe-outputs: add-labels: diff --git a/agentic/pr-fix.md b/agentic/pr-fix.md index 401fee9..b989b6c 100644 --- a/agentic/pr-fix.md +++ b/agentic/pr-fix.md @@ -12,13 +12,15 @@ on: name: pr-fix reaction: "eyes" -permissions: read-all - -network: defaults +permissions: + contents: read + pull-requests: read + actions: read + checks: read + issues: read tools: web-fetch: - bash: true github: min-integrity: none # This workflow is allowed to examine any PR because it's invoked by a repo maintainer diff --git a/agentic/repo-assist.md b/agentic/repo-assist.md index fe27461..35bb0ca 100644 --- a/agentic/repo-assist.md +++ b/agentic/repo-assist.md @@ -23,7 +23,14 @@ on: timeout-minutes: 60 -permissions: read-all +permissions: + contents: read + issues: read + pull-requests: read + checks: read + actions: read + discussions: read + security-events: read network: allowed: @@ -43,7 +50,6 @@ tools: github: toolsets: [all] min-integrity: none # This workflow is allowed to examine and comment on any issues or PRs - bash: true repo-memory: true safe-outputs: