From 51d8ba1a9e8ed37e09560753c64efaf6a6e48453 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:53:30 -0400 Subject: [PATCH 1/3] ci: scope down permissions for pypi-release.yaml --- .github/workflows/pypi-release.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pypi-release.yaml b/.github/workflows/pypi-release.yaml index 45942c2d..20b83e7c 100644 --- a/.github/workflows/pypi-release.yaml +++ b/.github/workflows/pypi-release.yaml @@ -5,6 +5,9 @@ on: release: types: [ published ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest From eca0fd30e2a5081be3afcda63f5ee093f077b4d0 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:53:32 -0400 Subject: [PATCH 2/3] ci: scope down permissions for schema-updater.yaml --- .github/workflows/schema-updater.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/schema-updater.yaml b/.github/workflows/schema-updater.yaml index d998609e..743f5ea3 100644 --- a/.github/workflows/schema-updater.yaml +++ b/.github/workflows/schema-updater.yaml @@ -2,6 +2,10 @@ on: schedule: - cron: '0 0 * * *' workflow_dispatch: # Enables on-demand/manual triggering: https://docs.github.com/en/free-pro-team@latest/actions/managing-workflow-runs/manually-running-a-workflow +permissions: + contents: write + pull-requests: write + jobs: schema-updater: runs-on: ubuntu-latest From 1ea09d9287f67bf0d9971d3e2c3f00416094f7d0 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:53:34 -0400 Subject: [PATCH 3/3] ci: scope down permissions for pr-ci.yaml --- .github/workflows/pr-ci.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pr-ci.yaml b/.github/workflows/pr-ci.yaml index 751d3943..c0178f32 100644 --- a/.github/workflows/pr-ci.yaml +++ b/.github/workflows/pr-ci.yaml @@ -4,6 +4,9 @@ name: CloudFormation CLI Pull Request CI on: [push, pull_request] +permissions: + contents: read + jobs: build: env: