From 594640993b5ea50f3c0a007001a119b67d9e7917 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 21:14:42 -0400
Subject: [PATCH 1/3] Scope down GitHub token permissions for
 codeql-analysis.yml

---
 .github/workflows/codeql-analysis.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index c581a0073..b539d0905 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,6 +14,11 @@ on:
   schedule:
     - cron: '0 0 * * 2'
 
+
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze

From 0c2871b8a39bb84241841ae2994740c6d0a6552a Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 21:14:48 -0400
Subject: [PATCH 2/3] Scope down GitHub token permissions for notifications.yml

---
 .github/workflows/notifications.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml
index d2d7727bc..8fbbc95fd 100644
--- a/.github/workflows/notifications.yml
+++ b/.github/workflows/notifications.yml
@@ -7,6 +7,10 @@ on:
   issue_comment:
     types: [created]
 
+
+permissions:
+  contents: read
+
 jobs:
   issue-notifications:
     name: Send Notifications

From 47f6908f9347191722ceeb44c91236aacd849981 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 21:14:52 -0400
Subject: [PATCH 3/3] Scope down GitHub token permissions for check.yml

---
 .github/workflows/check.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 18cba71c1..28c16d1d4 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -1,5 +1,9 @@
 on: [pull_request]
 
+
+permissions:
+  contents: read
+
 name: Check
 
 jobs: