From f8b063f6797cea22c6358332bedf2c389eaf5231 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:01:59 -0400 Subject: [PATCH 1/7] ci: scope down permissions for pull.yml --- .github/workflows/pull.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pull.yml b/.github/workflows/pull.yml index d1b7cb4..e3afd80 100644 --- a/.github/workflows/pull.yml +++ b/.github/workflows/pull.yml @@ -3,6 +3,9 @@ name: Pull Request Checks on: pull_request: +permissions: + contents: read + jobs: static-analysis: name: Static Analysis From a7698949d7c73e39eadf6fc42f460a9b9e8664f3 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:02:01 -0400 Subject: [PATCH 2/7] ci: scope down permissions for repo-sync.yml --- .github/workflows/repo-sync.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml index e3776d3..cf250b9 100644 --- a/.github/workflows/repo-sync.yml +++ b/.github/workflows/repo-sync.yml @@ -3,6 +3,10 @@ name: Repo Sync on: workflow_dispatch: # allows triggering this manually through the Actions UI +permissions: + contents: write + pull-requests: write + jobs: repo-sync: name: Repo Sync From ac362d5b5f795b9053e752492a59c3e922aa8f50 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:02:03 -0400 Subject: [PATCH 3/7] ci: scope down permissions for daily_ci.yml --- .github/workflows/daily_ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/daily_ci.yml b/.github/workflows/daily_ci.yml index 8b0c096..87b93ba 100644 --- a/.github/workflows/daily_ci.yml +++ b/.github/workflows/daily_ci.yml @@ -5,6 +5,9 @@ on: schedule: - cron: "00 15 * * 1-5" +permissions: + contents: read + jobs: static-analysis: # Don't run the cron builds on forks From 18b02093223725fce4a6dfc0d5d1c6d5d71d2f57 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:02:04 -0400 Subject: [PATCH 4/7] ci: scope down permissions for push.yml --- .github/workflows/push.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index f419a6a..54cc0f7 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -4,6 +4,9 @@ on: push: branches: master +permissions: + contents: read + jobs: static-analysis: name: Static Analysis From b24e4f2e5cf78f5364ecb7287957055990bfbf1c Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:02:06 -0400 Subject: [PATCH 5/7] ci: scope down permissions for ci_tests.yaml --- .github/workflows/ci_tests.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index 9d508e3..413d2ea 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -4,6 +4,9 @@ name: tests on: workflow_call: +permissions: + contents: read + jobs: tests: runs-on: ${{ matrix.platform.os }} From bf582171a5f55e5728b61f9c471ec09c77a6dd56 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:02:08 -0400 Subject: [PATCH 6/7] ci: scope down permissions for install.yaml --- .github/workflows/install.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/install.yaml b/.github/workflows/install.yaml index ed3f87b..66f0241 100644 --- a/.github/workflows/install.yaml +++ b/.github/workflows/install.yaml @@ -4,6 +4,9 @@ name: venv-tests on: workflow_call: +permissions: + contents: read + jobs: tests: runs-on: ${{ matrix.platform.os }} From 4634f9cdc9ba92f35bb9f9f751162d92a89df126 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:02:10 -0400 Subject: [PATCH 7/7] ci: scope down permissions for ci_static-analysis.yaml --- .github/workflows/ci_static-analysis.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci_static-analysis.yaml b/.github/workflows/ci_static-analysis.yaml index 8230a8f..89bfc3b 100644 --- a/.github/workflows/ci_static-analysis.yaml +++ b/.github/workflows/ci_static-analysis.yaml @@ -4,6 +4,9 @@ name: static analysis on: workflow_call: +permissions: + contents: read + jobs: analysis: runs-on: ubuntu-latest