From 99f6eca9b93f479f3a21d2c38bbea5905e045dba Mon Sep 17 00:00:00 2001
From: Colin Dean <colindean@users.noreply.github.com>
Date: Wed, 20 Aug 2025 12:22:18 -0400
Subject: [PATCH 1/5] Add and isolate content:write permission for pre-commit
 updates

This workflow has been failing because of the permissions revocation in a previous commit. This commit restores that permission set at a job-granular level.
---
 .github/workflows/pre-commit-updates.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/.github/workflows/pre-commit-updates.yml b/.github/workflows/pre-commit-updates.yml
index 73d96e3..c83e371 100644
--- a/.github/workflows/pre-commit-updates.yml
+++ b/.github/workflows/pre-commit-updates.yml
@@ -23,6 +23,28 @@ jobs:
         env:
           SKIP: "poetry-version-resetter"
 
+      - name: Upload changed .pre-commit-config.yaml
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: ".pre-commit-config.yaml"
+          path: ".pre-commit-config.yaml"
+
+  # This second, dependent job is necessary to isolate the content:write permissions that the auto-update job doesn't need.
+  pr:
+    needs: auto-update
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest  
+    steps:
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+        with:
+          persist-credentials: false
+
+      - name: Download changed .pre-commit-config.yaml
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        with:
+          name: ".pre-commit-config.yaml"
+
       - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
         if: always()
         with:

From f5f3383f0f0c743f97cc44f6648ecfc9d7b49656 Mon Sep 17 00:00:00 2001
From: Colin Dean <colindean@users.noreply.github.com>
Date: Wed, 20 Aug 2025 12:25:26 -0400
Subject: [PATCH 2/5] Explicitly persist credentials for use with the latter
 pull request

---
 .github/workflows/pre-commit-updates.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pre-commit-updates.yml b/.github/workflows/pre-commit-updates.yml
index c83e371..c2f701f 100644
--- a/.github/workflows/pre-commit-updates.yml
+++ b/.github/workflows/pre-commit-updates.yml
@@ -38,7 +38,7 @@ jobs:
     steps:
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
-          persist-credentials: false
+          persist-credentials: true
 
       - name: Download changed .pre-commit-config.yaml
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0

From e6d5718c9cf9709a6ddd937618ceb9df0a53a089 Mon Sep 17 00:00:00 2001
From: Colin Dean <colindean@users.noreply.github.com>
Date: Wed, 20 Aug 2025 12:25:34 -0400
Subject: [PATCH 3/5] Fixes whitespace

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/pre-commit-updates.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pre-commit-updates.yml b/.github/workflows/pre-commit-updates.yml
index c2f701f..56c68d3 100644
--- a/.github/workflows/pre-commit-updates.yml
+++ b/.github/workflows/pre-commit-updates.yml
@@ -34,7 +34,7 @@ jobs:
     needs: auto-update
     permissions:
       contents: write
-    runs-on: ubuntu-latest  
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:

From 1cc9639f313ec310592ae084bda6eb5449a8f4df Mon Sep 17 00:00:00 2001
From: Colin Dean <colindean@users.noreply.github.com>
Date: Wed, 20 Aug 2025 12:29:39 -0400
Subject: [PATCH 4/5] Deny all unused permissions explicitly

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/pre-commit-updates.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/pre-commit-updates.yml b/.github/workflows/pre-commit-updates.yml
index 56c68d3..76e2cf5 100644
--- a/.github/workflows/pre-commit-updates.yml
+++ b/.github/workflows/pre-commit-updates.yml
@@ -34,6 +34,16 @@ jobs:
     needs: auto-update
     permissions:
       contents: write
+      actions: none
+      checks: none
+      deployments: none
+      issues: none
+      discussions: none
+      packages: none
+      pull-requests: none
+      repository-projects: none
+      security-events: none
+      statuses: none
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4

From 91608363d1d7e8641fff74ef795e1bbcafb82e11 Mon Sep 17 00:00:00 2001
From: Colin Dean <colindean@users.noreply.github.com>
Date: Wed, 20 Aug 2025 12:33:06 -0400
Subject: [PATCH 5/5] Restore non-persistence of credentials

I think Copilot misled me.

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/pre-commit-updates.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pre-commit-updates.yml b/.github/workflows/pre-commit-updates.yml
index 76e2cf5..acaf2ba 100644
--- a/.github/workflows/pre-commit-updates.yml
+++ b/.github/workflows/pre-commit-updates.yml
@@ -48,7 +48,7 @@ jobs:
     steps:
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
-          persist-credentials: true
+          persist-credentials: false
 
       - name: Download changed .pre-commit-config.yaml
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0