From 755a3f82d419c18e90a77268c86e4069456fcfd0 Mon Sep 17 00:00:00 2001
From: Franck Nijhof <git@frenck.dev>
Date: Sun, 15 Feb 2026 11:22:06 +0100
Subject: [PATCH] CI security hardening: restrict permissions in lock workflow
 (#163050)

---
 .github/workflows/lock.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index 209f485a80b..cb69d77b2e2 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -5,10 +5,15 @@ on:
   schedule:
     - cron: "0 * * * *"
 
+permissions: {}
+
 jobs:
   lock:
     if: github.repository_owner == 'home-assistant'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0
         with: