From 72a0a190eb8cac06d3dd482fbc7ee1fbb5f55f9b Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 16:48:24 -0400
Subject: [PATCH 1/2] Scope down GitHub token permissions for eval-model.yml

---
 .github/workflows/eval-model.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/eval-model.yml b/.github/workflows/eval-model.yml
index 72b8e902..51f611cd 100644
--- a/.github/workflows/eval-model.yml
+++ b/.github/workflows/eval-model.yml
@@ -11,6 +11,10 @@ on:
       - synchronize # When new commits are pushed to the PR
       - labeled     # When a label is added to the PR
 
+
+permissions:
+  contents: read
+
 jobs:
   evaluate-and-print:
     if: contains(github.event.pull_request.labels.*.name, 'run-eval')  # Only run if 'run-eval' label is added

From e991b7030e3c061cefdd1cad080d9e739023fd1c Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 16:48:36 -0400
Subject: [PATCH 2/2] Scope down GitHub token permissions for ci.yml

---
 .github/workflows/ci.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6837ad5b..26d81fc2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,10 @@ on:
   schedule:
     - cron: "0 8 * * *" # Run at 8 AM UTC
 
+
+permissions:
+  contents: read
+
 jobs:
   type-check:
     strategy: