From 17cdcf1e3e8adbb1c8677f548618013d6d153234 Mon Sep 17 00:00:00 2001
From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com>
Date: Wed, 28 Jan 2026 09:18:09 +0100
Subject: [PATCH 1/3] fix: permissions

---
 .github/workflows/local-python-ci.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/local-python-ci.yml b/.github/workflows/local-python-ci.yml
index be4cc28..f7d77cb 100644
--- a/.github/workflows/local-python-ci.yml
+++ b/.github/workflows/local-python-ci.yml
@@ -16,7 +16,8 @@ concurrency:
 
 jobs:
   python-ci:
-    permissions: {}
+    permissions:
+      contents: read
     uses: notdodo/github-actions/.github/workflows/python-ci.yml@python-ci-v0
     with:
       working-directory: auto-tagger

From a1c0a1ab01a3a1ca4c0ea449ea7c4fc2c10bf51d Mon Sep 17 00:00:00 2001
From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com>
Date: Wed, 28 Jan 2026 09:21:50 +0100
Subject: [PATCH 2/3] fix: domains

---
 .github/workflows/docker-build-and-push.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml
index d59a63d..fca6280 100644
--- a/.github/workflows/docker-build-and-push.yml
+++ b/.github/workflows/docker-build-and-push.yml
@@ -81,13 +81,14 @@ jobs:
           disable-sudo: ${{ inputs.disable-sudo }}
           egress-policy: block
           allowed-endpoints: >
+            *.githubapp.com:443
+            *.trivy.dev:443
             api.github.com:443
             auth.docker.io:443
             download.docker.com:443
             fulcio.sigstore.dev:443
             ghcr.io:443
             github.com:443
-            githubapp.com:443
             index.docker.io:443
             mirror.gcr.io:443
             objects.githubusercontent.com:443
@@ -97,7 +98,6 @@ jobs:
             registry-1.docker.io:443
             rekor.sigstore.dev:443
             release-assets.githubusercontent.com:443
-            trivy.dev:443
             ${{ inputs.egress-policy-allowlist }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

From 64f5ff44c19579d71d123a0bcd18992f30aede87 Mon Sep 17 00:00:00 2001
From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com>
Date: Wed, 28 Jan 2026 09:22:44 +0100
Subject: [PATCH 3/3] fix: domains

---
 .github/workflows/local-auto-tagger-docker-bp.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/local-auto-tagger-docker-bp.yml b/.github/workflows/local-auto-tagger-docker-bp.yml
index 9dcb4ac..85061fd 100644
--- a/.github/workflows/local-auto-tagger-docker-bp.yml
+++ b/.github/workflows/local-auto-tagger-docker-bp.yml
@@ -16,6 +16,8 @@ jobs:
     uses: notdodo/github-actions/.github/workflows/docker-build-and-push.yml@docker-build-and-push-v0
     with:
       egress-policy-allowlist: >
+        *.githubapp.com:443
+        *.trivy.dev:443
         dl-cdn.alpinelinux.org:443
         files.pythonhosted.org:443
         pypi.org:443