kirilinsky · kirilinsky · May 18, 2026 · May 18, 2026 · May 18, 2026 · May 18, 2026
diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml
@@ -18,6 +18,9 @@ on:
       - "package-lock.json"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 # Cancel in-progress runs when new commits land on the same ref, so a
 # rapid sequence of pushes doesn't queue multiple snapshot uploads.
 concurrency:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,8 +5,12 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   test:
+    if: github.head_ref != 'changeset-release/main'
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "0 6 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})

diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
@@ -9,12 +9,14 @@ on:
     - cron: "0 6 * * 1"
 
 permissions:
-  actions: read
   contents: read
-  security-events: write
 
 jobs:
   scan:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de # v2.0.2
     with:
       scan-args: |-

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,12 +8,14 @@ concurrency:
   group: release-${{ github.ref }}
 
 permissions:
-  contents: write
-  pull-requests: write
-  id-token: write
+  contents: read
 
 jobs:
   release:
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -7,7 +7,9 @@ on:
   push:
     branches: [main]
 
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
 
 jobs:
   analysis:

diff --git a/.github/workflows/size.yml b/.github/workflows/size.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   size:
     if: github.head_ref != 'changeset-release/main'

diff --git a/.github/workflows/storybook.yml b/.github/workflows/storybook.yml
@@ -7,8 +7,6 @@ on:
 
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 concurrency:
   group: pages
@@ -34,6 +32,9 @@ jobs:
   deploy:
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}

diff --git a/LICENSE b/LICENSE
@@ -2,4 +2,17 @@ MIT License
 
 Copyright (c) 2026 kirilinsky
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software.
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software
+and associated documentation files (the "Software"), to deal in the Software without restriction,
+including without limitation the rights to use, copy, modify, merge, publish, distribute,
+sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT
+NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/SECURITY.md b/SECURITY.md
@@ -13,7 +13,9 @@ Security updates are provided for the latest stable release only.
 
 If you discover a security vulnerability, please do not open a public issue.
 
-Please report it privately using GitHub's **Report a vulnerability** feature, if available.
+Please report it privately using GitHub's **Report a vulnerability** flow:
+
+https://github.com/kirilinsky/dateforge-react-calendar/security/advisories/new
 
 Include:
 
@@ -22,8 +24,8 @@ Include:
 - Affected version
 - Possible impact
 
-I will try to acknowledge valid reports ASAP.
+I will try to acknowledge valid reports within 7 days.
 
-If the vulnerability is confirmed, I will work on a fix and publish a security update as soon as reasonably possible.
+If the vulnerability is confirmed, I will work on a fix and publish a security update as soon as reasonably possible. I aim to coordinate public disclosure within 90 days, or sooner if a fix is available and users have had reasonable time to upgrade.
 
 Please allow reasonable time for investigation and fixing before public disclosure.
diff --git a/package-lock.json b/package-lock.json