From 1bb4081427b3466cefe62d9b78446d85779bc129 Mon Sep 17 00:00:00 2001
From: hriszc <510245979@qq.com>
Date: Tue, 10 Mar 2026 09:03:01 +0800
Subject: [PATCH] Harden workflow validation and permissions

---
 .../workflows/add-good-first-issue-labels.yml |  3 +++
 .github/workflows/bounty-program-commands.yml |  3 +++
 .github/workflows/help-command.yml            |  6 +++++-
 .../workflows/issues-prs-notifications.yml    |  3 +++
 .github/workflows/lint-pr-title.yml           |  3 +++
 .../workflows/notify-tsc-members-mention.yml  |  3 +++
 .../workflows/validate-workflow-schema.yml    | 20 ++++++++++++++++++-
 .../workflows/welcome-first-time-contrib.yml  |  4 ++++
 8 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/add-good-first-issue-labels.yml b/.github/workflows/add-good-first-issue-labels.yml
index 05d05caf5..16a73a539 100644
--- a/.github/workflows/add-good-first-issue-labels.yml
+++ b/.github/workflows/add-good-first-issue-labels.yml
@@ -9,6 +9,9 @@ on:
     types:
       - created
 
+permissions:
+  issues: write
+
 jobs:
   add-labels:
     if: ${{(!github.event.issue.pull_request && github.event.issue.state != 'closed' && github.actor != 'asyncapi-bot') && (contains(github.event.comment.body, '/good-first-issue') || contains(github.event.comment.body, '/gfi' ))}}
diff --git a/.github/workflows/bounty-program-commands.yml b/.github/workflows/bounty-program-commands.yml
index c42e3005a..d4dbb4040 100644
--- a/.github/workflows/bounty-program-commands.yml
+++ b/.github/workflows/bounty-program-commands.yml
@@ -14,6 +14,9 @@ on:
     types:
       - created
 
+permissions:
+  issues: write
+
 env:
   BOUNTY_PROGRAM_LABELS_JSON: |
     [
diff --git a/.github/workflows/help-command.yml b/.github/workflows/help-command.yml
index 6228c56f0..75ab2585f 100644
--- a/.github/workflows/help-command.yml
+++ b/.github/workflows/help-command.yml
@@ -8,6 +8,10 @@ on:
         types: 
             - created
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   create_help_comment_pr:
     if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '/help') && github.actor != 'asyncapi-bot' }}
@@ -64,4 +68,4 @@ jobs:
               - \`/good-first-issue {js | ts | java | go | docs | design | ci-cd}\` or \`/gfi {js | ts | java | go | docs | design | ci-cd}\` - label an issue as a \`good first issue\`.
               example: \`/gfi js\` or \`/good-first-issue ci-cd\`
               - \`/transfer-issue {repo-name}\` or \`/ti {repo-name}\` - transfer issue from the source repository to the other repository passed by the user. example: \`/ti cli\` or \`/transfer-issue cli\`.`
-            })
\ No newline at end of file
+            })
diff --git a/.github/workflows/issues-prs-notifications.yml b/.github/workflows/issues-prs-notifications.yml
index ce1362867..ebf6b5b4f 100644
--- a/.github/workflows/issues-prs-notifications.yml
+++ b/.github/workflows/issues-prs-notifications.yml
@@ -14,6 +14,9 @@ on:
   discussion:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   issue:
     if: github.event_name == 'issues' && github.actor != 'asyncapi-bot' && github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]'
diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml
index 77aa1c6e4..1f83f6320 100644
--- a/.github/workflows/lint-pr-title.yml
+++ b/.github/workflows/lint-pr-title.yml
@@ -7,6 +7,9 @@ on:
   pull_request_target:
     types: [opened, reopened, synchronize, edited, ready_for_review]
 
+permissions:
+  pull-requests: write
+
 jobs:
   lint-pr-title:
     name: Lint PR title
diff --git a/.github/workflows/notify-tsc-members-mention.yml b/.github/workflows/notify-tsc-members-mention.yml
index ffa39bbce..57799fb51 100644
--- a/.github/workflows/notify-tsc-members-mention.yml
+++ b/.github/workflows/notify-tsc-members-mention.yml
@@ -25,6 +25,9 @@ on:
     types:
       - created
 
+permissions:
+  contents: read
+
 jobs:
   issue:
     if: github.event_name == 'issues' && contains(github.event.issue.body, '@asyncapi/tsc_members')
diff --git a/.github/workflows/validate-workflow-schema.yml b/.github/workflows/validate-workflow-schema.yml
index 8365e8e3b..8b29edc5b 100644
--- a/.github/workflows/validate-workflow-schema.yml
+++ b/.github/workflows/validate-workflow-schema.yml
@@ -7,6 +7,9 @@ on:
     paths:
       - '.github/workflows/**'
 
+permissions:
+  contents: read
+
 jobs:
   yaml-lint:
     runs-on: ubuntu-latest
@@ -69,4 +72,19 @@ jobs:
                 }
               }
             }
-            validateWorkflows();
\ No newline at end of file
+            validateWorkflows();
+
+  workflow-security:
+    name: Workflow security checks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Run actionlint
+        uses: rhysd/actionlint@v1
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@v0.1.2
+        with:
+          persona: pedantic
diff --git a/.github/workflows/welcome-first-time-contrib.yml b/.github/workflows/welcome-first-time-contrib.yml
index 2614d8de2..ca1a35fd5 100644
--- a/.github/workflows/welcome-first-time-contrib.yml
+++ b/.github/workflows/welcome-first-time-contrib.yml
@@ -11,6 +11,10 @@ on:
     types:
       - opened
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   welcome:
     name: Post welcome message