From 0e0ccfb1eb2c7751a599f3667242e45d9bde04bd Mon Sep 17 00:00:00 2001
From: arpitjain099 <arpitjain099@gmail.com>
Date: Wed, 13 May 2026 10:52:41 +0000
Subject: [PATCH] ci: per-job permissions for publish-pypi, release-doctor,
 sync-labels
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- publish-pypi: contents: read — publish step uses PYPI_TOKEN, not
  GITHUB_TOKEN.
- release-doctor: contents: read — only runs a local sanity-check
  script.
- sync-labels: issues: write — micnncim/action-label-syncer manages
  repo labels via GITHUB_TOKEN.

Matches the per-job permissions style already used in ci.yml and
detect-breaking-changes.yml.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/publish-pypi.yml   | 2 ++
 .github/workflows/release-doctor.yml | 2 ++
 .github/workflows/sync-labels.yml    | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
index 5d3e356c4f2..8631c071446 100644
--- a/.github/workflows/publish-pypi.yml
+++ b/.github/workflows/publish-pypi.yml
@@ -11,6 +11,8 @@ on:
 jobs:
   publish:
     name: publish
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/release-doctor.yml b/.github/workflows/release-doctor.yml
index 41be236b980..2966355f4f3 100644
--- a/.github/workflows/release-doctor.yml
+++ b/.github/workflows/release-doctor.yml
@@ -13,6 +13,8 @@ concurrency:
 jobs:
   release_doctor:
     name: release doctor
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 2
     if: github.repository == 'cloudflare/cloudflare-python' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || startsWith(github.head_ref, 'release-please') || github.head_ref == 'next')
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index 883eebba725..d5102f68719 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -8,6 +8,8 @@ on:
       - .github/labels.yml
 jobs:
   build:
+    permissions:
+      issues: write   # action-label-syncer creates/updates repo labels
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2