From 41c8d8c143620c69385372dfd9f90000b2cbbe11 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Mon, 20 Oct 2025 21:13:49 -0400 Subject: [PATCH 1/3] Scope down GitHub token permissions for codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c581a007..b539d090 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -14,6 +14,11 @@ on: schedule: - cron: '0 0 * * 2' + +permissions: + contents: read + security-events: write + jobs: analyze: name: Analyze From ac830da9398900b66c81b00d9deeb45e56e053d1 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Mon, 20 Oct 2025 21:13:55 -0400 Subject: [PATCH 2/3] Scope down GitHub token permissions for notifications.yml --- .github/workflows/notifications.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml index d2d7727b..8fbbc95f 100644 --- a/.github/workflows/notifications.yml +++ b/.github/workflows/notifications.yml @@ -7,6 +7,10 @@ on: issue_comment: types: [created] + +permissions: + contents: read + jobs: issue-notifications: name: Send Notifications From f96b130faacff04a6bcbdf9e63fd1c2857a1635b Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Mon, 20 Oct 2025 21:14:00 -0400 Subject: [PATCH 3/3] Scope down GitHub token permissions for check.yml --- .github/workflows/check.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 042affc4..1ef43aac 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -1,6 +1,10 @@ on: [pull_request] + +permissions: + contents: read + name: Check jobs: