From 5ca114e8fc62e706c49c3333f34a391958a52929 Mon Sep 17 00:00:00 2001
From: Luccas Gomes <luccasmmg@gmail.com>
Date: Tue, 3 Mar 2026 20:45:48 -0300
Subject: [PATCH] fix: harden currency-codes downloads and workflow permissions

---
 .github/workflows/actions.yml       | 3 +++
 UPDATE_SCRIPT_MAINTENANCE_REPORT.md | 7 +++++++
 scripts/runall.sh                   | 4 ++--
 3 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 UPDATE_SCRIPT_MAINTENANCE_REPORT.md

diff --git a/.github/workflows/actions.yml b/.github/workflows/actions.yml
index 512d9c4..d3231c4 100644
--- a/.github/workflows/actions.yml
+++ b/.github/workflows/actions.yml
@@ -18,6 +18,9 @@ on:
   # Allows manual triggering of the workflow
   workflow_dispatch: 
 
+permissions:
+  contents: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/UPDATE_SCRIPT_MAINTENANCE_REPORT.md b/UPDATE_SCRIPT_MAINTENANCE_REPORT.md
new file mode 100644
index 0000000..324b14c
--- /dev/null
+++ b/UPDATE_SCRIPT_MAINTENANCE_REPORT.md
@@ -0,0 +1,7 @@
+# Update Script Maintenance Report
+
+Date: 2026-03-03
+
+- Ran `scripts/runall.sh` successfully to validate current update pipeline.
+- Hardened XML downloads in `scripts/runall.sh` with `curl --fail --silent --show-error --location`.
+- Added `permissions: contents: write` in `.github/workflows/actions.yml` for scheduled push reliability.
diff --git a/scripts/runall.sh b/scripts/runall.sh
index e9561d0..2478cd3 100755
--- a/scripts/runall.sh
+++ b/scripts/runall.sh
@@ -27,8 +27,8 @@ if [ ! -d ./cache ]; then
   mkdir cache
 fi;
 echo Downloading XML files...
-curl -s -o cache/a1.xml "https://www.six-group.com/dam/download/financial-information/data-center/iso-currrency/lists/list-one.xml"
-curl -s -o cache/a2.xml "https://www.six-group.com/dam/download/financial-information/data-center/iso-currrency/lists/list-three.xml"
+curl --fail --silent --show-error --location -o cache/a1.xml "https://www.six-group.com/dam/download/financial-information/data-center/iso-currrency/lists/list-one.xml"
+curl --fail --silent --show-error --location -o cache/a2.xml "https://www.six-group.com/dam/download/financial-information/data-center/iso-currrency/lists/list-three.xml"
 
 # write headers
 echo "Entity,Currency,AlphabeticCode,NumericCode,MinorUnit,WithdrawalDate" > ${outfile}