From a55a57af609c71c03142c6a9b62bb432746aca29 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:26:15 -0400 Subject: [PATCH 1/3] ci: scope down permissions for owasp-dependency-check.yml --- .github/workflows/owasp-dependency-check.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/owasp-dependency-check.yml b/.github/workflows/owasp-dependency-check.yml index fa2657740..b7df2a770 100644 --- a/.github/workflows/owasp-dependency-check.yml +++ b/.github/workflows/owasp-dependency-check.yml @@ -3,6 +3,9 @@ on: schedule: - cron: "10 10 * * 3" +permissions: + contents: read + jobs: owasp-dependency-check: name: Verify dependencies with OWASP checker From 0c2f8dfe6a61d5b1ac73a1a85832e67241af6fce Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:26:17 -0400 Subject: [PATCH 2/3] ci: scope down permissions for release.yml --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7ff2bea79..9faff653b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,9 @@ on: description: "Version to use for further development" required: true default: "X.Y.Z-SNAPSHOT" +permissions: + contents: write + jobs: release: runs-on: ubuntu-latest From 2816aae7a701bc0c934b050fc0f067a34d36c6a4 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:26:19 -0400 Subject: [PATCH 3/3] ci: scope down permissions for continuous-integration-workflow.yml --- .github/workflows/continuous-integration-workflow.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/continuous-integration-workflow.yml b/.github/workflows/continuous-integration-workflow.yml index 2785cd3dc..08fe294d4 100644 --- a/.github/workflows/continuous-integration-workflow.yml +++ b/.github/workflows/continuous-integration-workflow.yml @@ -8,6 +8,9 @@ on: - 1.x workflow_dispatch: +permissions: + contents: read + jobs: build_core: name: Build and test core