From 6e46b42bf4d3eba8140c3fef20edd4332af833dd Mon Sep 17 00:00:00 2001
From: Jiaren Wu <jiaren-wu@github.com>
Date: Mon, 13 Oct 2025 11:08:35 -0700
Subject: [PATCH] Potential fix for code scanning alert no. 1: Workflow does
 not contain permissions (#4274)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: jiaren-wu <190862939+jiaren-wu@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/arc-update-runners-scheduled.yaml | 3 +++
 .github/workflows/global-run-first-interaction.yaml | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/arc-update-runners-scheduled.yaml b/.github/workflows/arc-update-runners-scheduled.yaml
index 424c5e82..502b71fe 100644
--- a/.github/workflows/arc-update-runners-scheduled.yaml
+++ b/.github/workflows/arc-update-runners-scheduled.yaml
@@ -1,6 +1,9 @@
 # This workflows polls releases from actions/runner and in case of a new one it
 # updates files containing runner version and opens a pull request.
 name: Runner Updates Check (Scheduled Job)
+permissions:
+  pull-requests: write
+  contents: write
 
 on:
   schedule:
diff --git a/.github/workflows/global-run-first-interaction.yaml b/.github/workflows/global-run-first-interaction.yaml
index bb5d5db6..49670c53 100644
--- a/.github/workflows/global-run-first-interaction.yaml
+++ b/.github/workflows/global-run-first-interaction.yaml
@@ -1,5 +1,10 @@
 name: First Interaction
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 on:
   issues:
     types: [opened]