From e60860abd4eaf91ea61724db47bd3c3565da6d46 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:52:52 -0400 Subject: [PATCH 1/6] ci: scope down permissions for release.yml --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d1368d6d4..e9cdd6819 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,9 @@ on: env: CARGO_TERM_COLOR: always +permissions: + contents: write + jobs: build: strategy: From 54794f76c39e9628f055c7695c3a2c83eff39bf4 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:52:54 -0400 Subject: [PATCH 2/6] ci: scope down permissions for action-ci.yml --- .github/workflows/action-ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/action-ci.yml b/.github/workflows/action-ci.yml index 997fc2dcb..cf6a4f882 100644 --- a/.github/workflows/action-ci.yml +++ b/.github/workflows/action-ci.yml @@ -8,6 +8,9 @@ on: paths: - "action/**" - "action.yml" +permissions: + contents: read + jobs: run-unit-tests: runs-on: ubuntu-latest From b7ff28b1076afc52ff94d92639b39bbc92a93a4e Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:52:55 -0400 Subject: [PATCH 3/6] ci: scope down permissions for pr.yml --- .github/workflows/pr.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 13abd23d1..4959bd26a 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -14,6 +14,9 @@ env: CARGO_TERM_COLOR: always FUZZ_TIME: 420 +permissions: + contents: read + jobs: build: name: Build all crates & run unit tests From a77fad355e56612185ab6879e257696f88c9d694 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:52:57 -0400 Subject: [PATCH 4/6] ci: scope down permissions for pre-commit.yml --- .github/workflows/pre-commit.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 69b609010..f4895af84 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -14,6 +14,9 @@ on: - .github/workflows/pre-commit.yml - .pre-commit-config.yaml - .pre-commit-hooks.yaml +permissions: + contents: read + jobs: run-unit-tests-and-lint: runs-on: ubuntu-latest From 10e1fcb997bdf0d3ccba6a3e6f9bb8bd8982c6e2 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:52:59 -0400 Subject: [PATCH 5/6] ci: scope down permissions for typescript_library.yml --- .github/workflows/typescript_library.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/typescript_library.yml b/.github/workflows/typescript_library.yml index 3bb755025..75459abb4 100644 --- a/.github/workflows/typescript_library.yml +++ b/.github/workflows/typescript_library.yml @@ -6,6 +6,9 @@ on: pull_request: paths: - 'guard/ts-lib/**' +permissions: + contents: read + jobs: run-unit-tests-windows: runs-on: windows-latest From f1172c949f64c6a87c7dfcf76a1cda8c497b9f9b Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:53:01 -0400 Subject: [PATCH 6/6] ci: scope down permissions for security_audit.yml --- .github/workflows/security_audit.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/security_audit.yml b/.github/workflows/security_audit.yml index e2b8fa054..2dd0b8cfe 100644 --- a/.github/workflows/security_audit.yml +++ b/.github/workflows/security_audit.yml @@ -3,6 +3,9 @@ on: schedule: - cron: "0 17 * * *" +permissions: + contents: read + jobs: audit: if: github.repository == 'aws-cloudformation/cloudformation-guard'