From b4d5a0a432c9076a33f728ce5d6674933f6a2abd Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 17:03:28 -0400
Subject: [PATCH 1/2] ci: scope down permissions for remove-old-artifacts.yml

---
 .github/workflows/remove-old-artifacts.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/remove-old-artifacts.yml b/.github/workflows/remove-old-artifacts.yml
index 9bee87041..5899e8671 100644
--- a/.github/workflows/remove-old-artifacts.yml
+++ b/.github/workflows/remove-old-artifacts.yml
@@ -5,6 +5,9 @@ on:
     # Every day at 1am
     - cron: "0 1 * * *"
 
+permissions:
+  actions: write
+
 jobs:
   remove-old-artifacts:
     runs-on: ubuntu-latest

From 1efccadd96a2b5255f42adca6270b6aadff38426 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 17:03:30 -0400
Subject: [PATCH 2/2] ci: scope down permissions for main.yml

---
 .github/workflows/main.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 3c8ba4145..02c8389b9 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - "*"
 
+permissions:
+  contents: read
+
 jobs:
   run-checks-and-unit-tests:
     runs-on: ubuntu-latest