From f603c29eca7341001e548203619221a20a132790 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:35:21 -0400 Subject: [PATCH 1/7] ci: scope down permissions for cross-compilation.yml --- .github/workflows/cross-compilation.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/cross-compilation.yml b/.github/workflows/cross-compilation.yml index 1588765eca..2cebf4351a 100644 --- a/.github/workflows/cross-compilation.yml +++ b/.github/workflows/cross-compilation.yml @@ -10,6 +10,9 @@ on: - develop - main +permissions: + contents: read + jobs: linux-cross-compilation: timeout-minutes: 15 From 4ab26fd2a361afc703100a630c6c74467257ef00 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:35:23 -0400 Subject: [PATCH 2/7] ci: scope down permissions for codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 28bcf26fcd..0865ec4bcc 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -14,6 +14,9 @@ on: - main - 'test-pr-*' +permissions: + contents: read + jobs: analyze: name: Analyze From 64450d693921ccb5801d4dac71103241581f1db0 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:35:25 -0400 Subject: [PATCH 3/7] ci: scope down permissions for doxygen-gh-pages.yml --- .github/workflows/doxygen-gh-pages.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/doxygen-gh-pages.yml b/.github/workflows/doxygen-gh-pages.yml index da61eef619..fdf949fb11 100644 --- a/.github/workflows/doxygen-gh-pages.yml +++ b/.github/workflows/doxygen-gh-pages.yml @@ -7,6 +7,9 @@ on: - develop - 'test-pr-*' +permissions: + contents: write + jobs: generate-and-deploy-doxygen: runs-on: ubuntu-latest From ced471fe1e992ff473c1165f88ef75e5a9dddc95 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:35:27 -0400 Subject: [PATCH 4/7] ci: scope down permissions for version-check.yml --- .github/workflows/version-check.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml index eb556595f2..44033f9429 100644 --- a/.github/workflows/version-check.yml +++ b/.github/workflows/version-check.yml @@ -5,6 +5,9 @@ on: branches: - main +permissions: + contents: read + jobs: check-version: runs-on: ubuntu-latest From b48cae768cc8e87270fa5870f71d9db4044f6e15 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:35:29 -0400 Subject: [PATCH 5/7] ci: scope down permissions for clang-format.yaml --- .github/workflows/clang-format.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/clang-format.yaml b/.github/workflows/clang-format.yaml index 5e4d96dd3d..11d9352da8 100644 --- a/.github/workflows/clang-format.yaml +++ b/.github/workflows/clang-format.yaml @@ -11,6 +11,9 @@ on: - develop - main +permissions: + contents: read + jobs: clang-format-check: runs-on: macos-13 From 5fff5e4decefb132864489288c3e9de4dacd3c2b Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:35:31 -0400 Subject: [PATCH 6/7] ci: scope down permissions for close-stale-issues.yml --- .github/workflows/close-stale-issues.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/close-stale-issues.yml b/.github/workflows/close-stale-issues.yml index 4f721c936b..2b272c6e23 100644 --- a/.github/workflows/close-stale-issues.yml +++ b/.github/workflows/close-stale-issues.yml @@ -5,6 +5,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + issues: write + jobs: cleanup: runs-on: ubuntu-latest From 4743b270141a7d1fcf94ddc2d52c21bd62598116 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:35:33 -0400 Subject: [PATCH 7/7] ci: scope down permissions for pr-desc-lint.yml --- .github/workflows/pr-desc-lint.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pr-desc-lint.yml b/.github/workflows/pr-desc-lint.yml index ee2c429ff1..23c9d54de8 100644 --- a/.github/workflows/pr-desc-lint.yml +++ b/.github/workflows/pr-desc-lint.yml @@ -11,6 +11,9 @@ on: - reopened - edited +permissions: + contents: read + jobs: check-description: runs-on: macos-latest