From 791fc7b6a996a47873b3b6bed24f8e17dcf9f20e Mon Sep 17 00:00:00 2001
From: Matthew Fishman <mfishman@flatironinstitute.org>
Date: Sun, 3 May 2026 08:16:06 -0400
Subject: [PATCH 1/3] Permissions-hardening canary: trigger CI under read-only
 token ceiling

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 0727bc4..b3800be 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+# Permissions-hardening canary marker — remove before merging.
 *.cov
 *.mem
 *.o

From bbbf1011fb6df2fe56f6505b0d63f46833b33ddf Mon Sep 17 00:00:00 2001
From: Matthew Fishman <mfishman@flatironinstitute.org>
Date: Sun, 3 May 2026 09:46:02 -0400
Subject: [PATCH 2/3] Canary: add explicit permissions blocks for the three
 failing callers

---
 .github/workflows/Documentation.yml   | 4 ++++
 .github/workflows/IntegrationTest.yml | 5 +++++
 .github/workflows/VersionCheck.yml    | 5 +++++
 3 files changed, 14 insertions(+)

diff --git a/.github/workflows/Documentation.yml b/.github/workflows/Documentation.yml
index 7442953..d8d4af1 100644
--- a/.github/workflows/Documentation.yml
+++ b/.github/workflows/Documentation.yml
@@ -10,9 +10,13 @@ on:
 concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}"
   cancel-in-progress: "${{ github.ref_name != github.event.repository.default_branch || github.ref != 'refs/tags/v*' }}"
+permissions:
+  contents: read
 jobs:
   build-and-deploy-docs:
     name: "Documentation"
+    permissions:
+      contents: write
     uses: "ITensor/ITensorActions/.github/workflows/Documentation.yml@v1"
     with:
       localregistry: "https://github.com/ITensor/ITensorRegistry.git"
diff --git a/.github/workflows/IntegrationTest.yml b/.github/workflows/IntegrationTest.yml
index 23997cc..d2eba68 100644
--- a/.github/workflows/IntegrationTest.yml
+++ b/.github/workflows/IntegrationTest.yml
@@ -11,9 +11,14 @@ on:
       - "reopened"
       - "ready_for_review"
       - "converted_to_draft"
+permissions:
+  contents: read
 jobs:
   integration-test:
     name: "IntegrationTest"
+    permissions:
+      actions: read
+      contents: read
     uses: "ITensor/ITensorActions/.github/workflows/IntegrationTest.yml@v1"
     secrets: "inherit"
     with:
diff --git a/.github/workflows/VersionCheck.yml b/.github/workflows/VersionCheck.yml
index 102898e..dcc4992 100644
--- a/.github/workflows/VersionCheck.yml
+++ b/.github/workflows/VersionCheck.yml
@@ -1,9 +1,14 @@
 name: "Version Check"
 on:
   pull_request: ~
+permissions:
+  contents: read
 jobs:
   version-check:
     name: "Version Check"
+    permissions:
+      contents: read
+      pull-requests: read
     uses: "ITensor/ITensorActions/.github/workflows/VersionCheck.yml@v1"
     with:
       localregistry: "https://github.com/ITensor/ITensorRegistry.git"

From 4477dc29bcec75f11865e5ab4bf126671cd3d767 Mon Sep 17 00:00:00 2001
From: Matthew Fishman <mfishman@flatironinstitute.org>
Date: Sun, 3 May 2026 11:54:06 -0400
Subject: [PATCH 3/3] Permissions: simplify to workflow-level only; remove
 .gitignore canary marker

---
 .github/workflows/CheckCompatBounds.yml | 2 ++
 .github/workflows/Documentation.yml     | 4 +---
 .github/workflows/FormatCheck.yml       | 2 ++
 .github/workflows/IntegrationTest.yml   | 6 ++----
 .github/workflows/TagBot.yml            | 3 +++
 .github/workflows/Tests.yml             | 2 ++
 .github/workflows/VersionCheck.yml      | 6 ++----
 .gitignore                              | 1 -
 8 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/CheckCompatBounds.yml b/.github/workflows/CheckCompatBounds.yml
index 87c7428..2fb4b15 100644
--- a/.github/workflows/CheckCompatBounds.yml
+++ b/.github/workflows/CheckCompatBounds.yml
@@ -1,6 +1,8 @@
 name: "Check Compat Bounds"
 on:
   pull_request: ~
+permissions:
+  contents: "read"
 jobs:
   check-compat-bounds:
     name: "Check Compat Bounds"
diff --git a/.github/workflows/Documentation.yml b/.github/workflows/Documentation.yml
index d8d4af1..9bfa4ec 100644
--- a/.github/workflows/Documentation.yml
+++ b/.github/workflows/Documentation.yml
@@ -11,12 +11,10 @@ concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}"
   cancel-in-progress: "${{ github.ref_name != github.event.repository.default_branch || github.ref != 'refs/tags/v*' }}"
 permissions:
-  contents: read
+  contents: "write"
 jobs:
   build-and-deploy-docs:
     name: "Documentation"
-    permissions:
-      contents: write
     uses: "ITensor/ITensorActions/.github/workflows/Documentation.yml@v1"
     with:
       localregistry: "https://github.com/ITensor/ITensorRegistry.git"
diff --git a/.github/workflows/FormatCheck.yml b/.github/workflows/FormatCheck.yml
index 7bbbfee..30828d6 100644
--- a/.github/workflows/FormatCheck.yml
+++ b/.github/workflows/FormatCheck.yml
@@ -6,6 +6,8 @@ on:
       - "synchronize"
       - "reopened"
       - "ready_for_review"
+permissions:
+  contents: "read"
 jobs:
   format-check:
     name: "Format Check"
diff --git a/.github/workflows/IntegrationTest.yml b/.github/workflows/IntegrationTest.yml
index d2eba68..ef29c91 100644
--- a/.github/workflows/IntegrationTest.yml
+++ b/.github/workflows/IntegrationTest.yml
@@ -12,13 +12,11 @@ on:
       - "ready_for_review"
       - "converted_to_draft"
 permissions:
-  contents: read
+  actions: "read"
+  contents: "read"
 jobs:
   integration-test:
     name: "IntegrationTest"
-    permissions:
-      actions: read
-      contents: read
     uses: "ITensor/ITensorActions/.github/workflows/IntegrationTest.yml@v1"
     secrets: "inherit"
     with:
diff --git a/.github/workflows/TagBot.yml b/.github/workflows/TagBot.yml
index d4da40e..007110a 100644
--- a/.github/workflows/TagBot.yml
+++ b/.github/workflows/TagBot.yml
@@ -6,6 +6,9 @@ on:
   workflow_dispatch: ~
 env:
   REGISTRY_TAGBOT_ACTION: "JuliaRegistries/TagBot"
+permissions:
+  contents: "write"
+  issues: "read"
 jobs:
   TagBot:
     if: "github.event_name == 'workflow_dispatch' || github.actor == 'JuliaTagBot'"
diff --git a/.github/workflows/Tests.yml b/.github/workflows/Tests.yml
index 244ca0e..6e1dce9 100644
--- a/.github/workflows/Tests.yml
+++ b/.github/workflows/Tests.yml
@@ -19,6 +19,8 @@ on:
 concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}"
   cancel-in-progress: "${{ startsWith(github.ref, 'refs/pull/') }}"
+permissions:
+  contents: "read"
 jobs:
   tests:
     name: "Tests"
diff --git a/.github/workflows/VersionCheck.yml b/.github/workflows/VersionCheck.yml
index dcc4992..7008f48 100644
--- a/.github/workflows/VersionCheck.yml
+++ b/.github/workflows/VersionCheck.yml
@@ -2,13 +2,11 @@ name: "Version Check"
 on:
   pull_request: ~
 permissions:
-  contents: read
+  contents: "read"
+  pull-requests: "read"
 jobs:
   version-check:
     name: "Version Check"
-    permissions:
-      contents: read
-      pull-requests: read
     uses: "ITensor/ITensorActions/.github/workflows/VersionCheck.yml@v1"
     with:
       localregistry: "https://github.com/ITensor/ITensorRegistry.git"
diff --git a/.gitignore b/.gitignore
index b3800be..0727bc4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,3 @@
-# Permissions-hardening canary marker — remove before merging.
 *.cov
 *.mem
 *.o