From 8eb72a3c9dda50d8b67c175f9983aa719192dce8 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 16:27:16 -0400
Subject: [PATCH 1/2] ci: scope down permissions for publish-adrs.yml

---
 .github/workflows/publish-adrs.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/publish-adrs.yml b/.github/workflows/publish-adrs.yml
index 1fb3d0d50..6e439afc5 100644
--- a/.github/workflows/publish-adrs.yml
+++ b/.github/workflows/publish-adrs.yml
@@ -3,6 +3,10 @@ on:
   push:
     branches:
       - main
+permissions:
+  contents: write
+  pages: write
+
 jobs:
   build-and-publish:
     runs-on: ubuntu-latest

From 6ffe66b5075e7f67135aaedbba41af5358261198 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 16:27:18 -0400
Subject: [PATCH 2/2] ci: scope down permissions for pull_request.yml

---
 .github/workflows/pull_request.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 84f88712a..98fc00c73 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -5,6 +5,9 @@ on:
   #By default, a workflow only runs when a pull_request event's activity type is opened, synchronize, or reopened.
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   frontend-tests:
     runs-on: ubuntu-latest