From b6486a11ce50d80446c15b1ef61fcc945279c0dd Mon Sep 17 00:00:00 2001
From: Yacine Kheddache <yacine@microcks.io>
Date: Wed, 25 Mar 2026 16:16:05 +0100
Subject: [PATCH 1/2] Update welcome-new-users.yml

Fix issue permissions for pr-opened and pr-merged

Signed-off-by: Yacine Kheddache <yacine@microcks.io>
---
 .github/workflows/welcome-new-users.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/welcome-new-users.yml b/.github/workflows/welcome-new-users.yml
index eb0e2c2..969e100 100644
--- a/.github/workflows/welcome-new-users.yml
+++ b/.github/workflows/welcome-new-users.yml
@@ -46,7 +46,7 @@ jobs:
     if: github.event_name == 'pull_request' && github.event.action == 'opened'
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      issues: write
     steps:
       - uses: wow-actions/welcome@68019c2c271561f63162fea75bb7707ef8a02c85 # To pin v1.3.1
         with:
@@ -64,7 +64,7 @@ jobs:
     if: github.event_name == 'pull_request' && github.event.action == 'closed' && github.event.pull_request.merged == true
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      issues: write
     steps:
       - uses: wow-actions/welcome@68019c2c271561f63162fea75bb7707ef8a02c85 # To pin v1.3.1
         with:

From 56d14640ab7359fac2afa39697240120331f5696 Mon Sep 17 00:00:00 2001
From: Yacine Kheddache <yacine@microcks.io>
Date: Wed, 25 Mar 2026 16:19:08 +0100
Subject: [PATCH 2/2] Update welcome-new-users.yml

Add a comment regarding the permissions top-level trick

Signed-off-by: Yacine Kheddache <yacine@microcks.io>
---
 .github/workflows/welcome-new-users.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/welcome-new-users.yml b/.github/workflows/welcome-new-users.yml
index 969e100..a7a3ff0 100644
--- a/.github/workflows/welcome-new-users.yml
+++ b/.github/workflows/welcome-new-users.yml
@@ -11,6 +11,9 @@ on:
   pull_request:
     types: [opened, closed]
 
+# Explicitly disable all default GITHUB_TOKEN permissions at the workflow level.
+# Each job then declares only the minimal required permissions (principle of least privilege),
+# e.g., `issues: write` for posting comments. This improves security, especially for PRs from forks.
 permissions: {}
 
 jobs: