Set explicit workflow permissions

[glenn-jocher]

Summary

• move stale workflow token permissions to workflow scope
• grant the PR branch updater the contents: write permission required by update_branch()
• document the existing read-only token scope for link checking and Docker publishing workflows

CodeQL alerts

Addresses the open actions/missing-workflow-permissions alerts on master:

• paper or blogpost #4: https://github.com/ultralytics/yolov5/security/code-scanning/4
• training actually can not work #8: https://github.com/ultralytics/yolov5/security/code-scanning/8
• How to get state_dict of pretrained weight #13: https://github.com/ultralytics/yolov5/security/code-scanning/13
• Reduce Checkpoint Model Size by 1/2 #14: https://github.com/ultralytics/yolov5/security/code-scanning/14

Validation

• Parsed all four edited workflow YAML files with yaml.safe_load()
• git diff --check

🛠️ PR Summary

_{Made with ❤️ by Ultralytics Actions}

🌟 Summary

🔐 This PR updates GitHub Actions workflow permissions to better match what each automation job actually needs, improving clarity, reliability, and security.

📊 Key Changes

• Added explanatory comments to contents: read permissions in:
  • .github/workflows/docker.yml
  • .github/workflows/links.yml
• Changed permissions in .github/workflows/merge-main-into-prs.yml:
  • contents: read → contents: write
  • Kept pull-requests: write
• Moved permissions in .github/workflows/stale.yml from the job level to the workflow level:
  • issues: write
  • pull-requests: write
• Kept the stale issue cleanup behavior the same, while making permission setup more explicit and standardized 🧹

🎯 Purpose & Impact

• Improves workflow correctness ✅
  • The merge automation now has the required write access to update branches and merge main into open PRs.
• Makes CI/CD configuration easier to understand 📘
  • Added comments clarify why permissions are needed, which helps maintainers review and troubleshoot workflows faster.
• Encourages better security hygiene 🔒
  • Permissions are more intentionally declared, helping avoid over- or under-scoped GitHub Actions access.
• Standardizes workflow configuration ⚙️
  • Moving stale workflow permissions to the top level makes the setup cleaner and more consistent across the repository.

[UltralyticsAssistant]

👋 Hello @glenn-jocher, thank you for submitting a ultralytics/yolov5 🚀 PR! This is an automated message to help streamline review; an engineer will assist you shortly. Please review the checklist below to help ensure a smooth integration ✨

• ✅ Define a Purpose: Clearly explain the purpose of your fix or feature in your PR description, and link to any relevant issues. Ensure your commit messages are clear, concise, and adhere to the project's conventions.
• ✅ Synchronize with Source: Confirm your PR is synchronized with the ultralytics/yolov5 main branch. If it's behind, update it by clicking the 'Update branch' button or by running git pull and git merge main locally.
• ✅ Ensure CI Checks Pass: Verify all Ultralytics Continuous Integration (CI) checks are passing. If any checks fail, please address the issues.
• ✅ Update Documentation: Update the relevant documentation for any new or modified features.
• ✅ Add Tests: If applicable, include or update tests to cover your changes, and confirm that all tests are passing.
• ✅ Sign the CLA: Please ensure you have signed our Contributor License Agreement if this is your first Ultralytics PR by writing "I have read the CLA Document and I sign the CLA" in a new message.
• ✅ Minimize Changes: Limit your changes to the minimum necessary for your bug fix or feature addition. "It is not daily increase but daily decrease, hack away the unessential. The closer to the source, the less wastage there is." — Bruce Lee

For more guidance, please refer to our Contributing Guide. Don't hesitate to leave a comment if you have any questions. Thank you for contributing to Ultralytics! 🚀

[UltralyticsAssistant]

🔍 PR Review

_{Made with ❤️ by Ultralytics Actions}

PR looks clean. The permission changes are consistent with least-privilege intent, and the workflow-level move in stale.yml is behaviorally equivalent here since the workflow has a single job. I did not find any actionable issues in the shown diff.

[UltralyticsAssistant]

🎉 Thanks for merging this, @glenn-jocher!

This is a great refinement to the GitHub Actions setup—clearer permissions, better security hygiene, and more reliable automation all in one pass. As Benjamin Franklin put it, “An ounce of prevention is worth a pound of cure.” That fits this PR perfectly: small, intentional permission updates now help prevent CI confusion and workflow issues later.

Really appreciate the thoughtful cleanup and consistency improvements here 🔐⚙️