From db350d181315c7aee6d06e32313f2d2c1fa53f05 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:55:25 -0400 Subject: [PATCH 1/9] ci: scope down permissions for build-runtime.yml --- .github/workflows/build-runtime.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build-runtime.yml b/.github/workflows/build-runtime.yml index 0327bd34..288ede1a 100644 --- a/.github/workflows/build-runtime.yml +++ b/.github/workflows/build-runtime.yml @@ -15,6 +15,9 @@ on: - 'lambda-http/**' - 'Cargo.toml' +permissions: + contents: read + jobs: build-runtime: runs-on: ubuntu-latest From 2506dd6760b8704e944247ab1d80982ad9f0e51c Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:55:27 -0400 Subject: [PATCH 2/9] ci: scope down permissions for format.yml --- .github/workflows/format.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 10f8c75f..c7288890 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -2,6 +2,9 @@ name: Formatting and Linting on: [push, pull_request] +permissions: + contents: read + jobs: fmt: name: Cargo fmt From 8804a5ca7154a6730ca163e7770933ca445ae18c Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:55:29 -0400 Subject: [PATCH 3/9] ci: scope down permissions for check-examples.yml --- .github/workflows/check-examples.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/check-examples.yml b/.github/workflows/check-examples.yml index 5ef1536a..ef2b89d5 100644 --- a/.github/workflows/check-examples.yml +++ b/.github/workflows/check-examples.yml @@ -5,6 +5,9 @@ on: branches: [main] pull_request: +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest From 6f8f1365248dc4ca204fdacf512a5118b4c87bdd Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:55:31 -0400 Subject: [PATCH 4/9] ci: scope down permissions for test-rie.yml --- .github/workflows/test-rie.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/test-rie.yml b/.github/workflows/test-rie.yml index 5d777e2d..0609b80f 100644 --- a/.github/workflows/test-rie.yml +++ b/.github/workflows/test-rie.yml @@ -6,6 +6,9 @@ on: push: branches: [ main ] +permissions: + contents: read + jobs: test-rie: runs-on: ubuntu-latest From 5423d70850cc0fe250f6398ec0dbe95cc025ebb9 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:55:32 -0400 Subject: [PATCH 5/9] ci: scope down permissions for closed-issue-message.yml --- .github/workflows/closed-issue-message.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml index 2a73fe92..d471b36b 100644 --- a/.github/workflows/closed-issue-message.yml +++ b/.github/workflows/closed-issue-message.yml @@ -2,6 +2,9 @@ name: Closed Issue Message on: issues: types: [closed] +permissions: + issues: write + jobs: auto_comment: runs-on: ubuntu-latest From ba72ab557ec4ee58939e3ef5106bfe55430a8dd9 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:55:34 -0400 Subject: [PATCH 6/9] ci: scope down permissions for build-integration-test.yml --- .github/workflows/build-integration-test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build-integration-test.yml b/.github/workflows/build-integration-test.yml index dd9bd68f..c7fa4f8f 100644 --- a/.github/workflows/build-integration-test.yml +++ b/.github/workflows/build-integration-test.yml @@ -17,6 +17,9 @@ on: - 'lambda-extension/**' - 'Cargo.toml' +permissions: + contents: read + jobs: build-runtime: runs-on: ubuntu-latest From 673a706bb6ee25e2fec22e7f83e238b3b8450cb6 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:55:36 -0400 Subject: [PATCH 7/9] ci: scope down permissions for build-extension.yml --- .github/workflows/build-extension.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build-extension.yml b/.github/workflows/build-extension.yml index f823dbb4..2d8ac011 100644 --- a/.github/workflows/build-extension.yml +++ b/.github/workflows/build-extension.yml @@ -16,6 +16,9 @@ on: - 'Cargo.toml' +permissions: + contents: read + jobs: build-runtime: runs-on: ubuntu-latest From 942b15b1d7abcb928ec60beca8086e3469185eb9 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:55:38 -0400 Subject: [PATCH 8/9] ci: scope down permissions for check-docs.yml --- .github/workflows/check-docs.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/check-docs.yml b/.github/workflows/check-docs.yml index 4e26c31c..d452f857 100644 --- a/.github/workflows/check-docs.yml +++ b/.github/workflows/check-docs.yml @@ -21,6 +21,9 @@ on: - 'lambda-extension/**' - 'Cargo.toml' +permissions: + contents: read + jobs: build-runtime: runs-on: ubuntu-latest From 5b4318749ebd2c2ff868d129993ebfb9c56bcd31 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 13:55:40 -0400 Subject: [PATCH 9/9] ci: scope down permissions for build-events.yml --- .github/workflows/build-events.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build-events.yml b/.github/workflows/build-events.yml index 624f96d6..539e2b3c 100644 --- a/.github/workflows/build-events.yml +++ b/.github/workflows/build-events.yml @@ -10,6 +10,9 @@ on: - "lambda-events/**" - "Cargo.toml" +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest