From d1b0a132742c80ee71fc461aed3b6f1d2a72fa43 Mon Sep 17 00:00:00 2001
From: microcks-bot <info@microcks.io>
Date: Wed, 25 Mar 2026 16:48:50 +0000
Subject: [PATCH] ci: update WELCOME-NEW-USERS workflow from global .github
 repo Signed-off-by: microcks-bot <info@microcks.io>

---
 .github/workflows/welcome-new-users.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/welcome-new-users.yml b/.github/workflows/welcome-new-users.yml
index eb0e2c2..a7a3ff0 100644
--- a/.github/workflows/welcome-new-users.yml
+++ b/.github/workflows/welcome-new-users.yml
@@ -11,6 +11,9 @@ on:
   pull_request:
     types: [opened, closed]
 
+# Explicitly disable all default GITHUB_TOKEN permissions at the workflow level.
+# Each job then declares only the minimal required permissions (principle of least privilege),
+# e.g., `issues: write` for posting comments. This improves security, especially for PRs from forks.
 permissions: {}
 
 jobs:
@@ -46,7 +49,7 @@ jobs:
     if: github.event_name == 'pull_request' && github.event.action == 'opened'
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      issues: write
     steps:
       - uses: wow-actions/welcome@68019c2c271561f63162fea75bb7707ef8a02c85 # To pin v1.3.1
         with:
@@ -64,7 +67,7 @@ jobs:
     if: github.event_name == 'pull_request' && github.event.action == 'closed' && github.event.pull_request.merged == true
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      issues: write
     steps:
       - uses: wow-actions/welcome@68019c2c271561f63162fea75bb7707ef8a02c85 # To pin v1.3.1
         with: