From 61b73aeb013154f0794570a1b99d0ee65363408c Mon Sep 17 00:00:00 2001
From: Matt Kane <mkane@cloudflare.com>
Date: Thu, 2 Apr 2026 18:07:59 +0100
Subject: [PATCH] fix: add explicit permissions to CLA workflow, drop PAT
 (#121)

---
 .github/workflows/cla.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index 104e632..949d318 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -6,6 +6,12 @@ on:
     types: [opened, synchronize]
   merge_group:
 
+permissions:
+  actions: write
+  contents: write
+  pull-requests: write
+  statuses: write
+
 jobs:
   CLAssistant:
     runs-on: ubuntu-latest
@@ -15,7 +21,6 @@ jobs:
         uses: contributor-assistant/github-action@v2.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_PERSONAL_ACCESS_TOKEN }}
         with:
           path-to-signatures: "signatures/version1/cla.json"
           path-to-document: "https://www.cloudflare.com/cla/"