From f85e2ddb15e2c044d83c60b6c0c5d2d191ae41a4 Mon Sep 17 00:00:00 2001
From: Seth Flynn <getchoo@tuta.io>
Date: Mon, 2 Feb 2026 16:50:21 -0500
Subject: [PATCH] ci(blocked-prs): restrict runner token permissions

These can run without any permissions since we use our own app for auth

Signed-off-by: Seth Flynn <getchoo@tuta.io>
---
 .github/workflows/blocked-prs.yml       | 2 ++
 .github/workflows/merge-blocking-pr.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/blocked-prs.yml b/.github/workflows/blocked-prs.yml
index 4e4285260..fa00646e2 100644
--- a/.github/workflows/blocked-prs.yml
+++ b/.github/workflows/blocked-prs.yml
@@ -14,6 +14,8 @@ on:
         required: true
         type: number
 
+permissions: {}
+
 jobs:
   blocked_status:
     name: Check Blocked Status
diff --git a/.github/workflows/merge-blocking-pr.yml b/.github/workflows/merge-blocking-pr.yml
index 57c9cf21e..5c6357430 100644
--- a/.github/workflows/merge-blocking-pr.yml
+++ b/.github/workflows/merge-blocking-pr.yml
@@ -11,6 +11,8 @@ on:
         required: true
         type: number
 
+permissions: {}
+
 jobs:
   update-blocked-status:
     name: Update Blocked Status