From 5dd144b9a37c47bff6945d98eacee9aaae352631 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 18:06:26 -0400
Subject: [PATCH 1/6] Scope down GitHub token permissions for writeme.yml

---
 .github/workflows/writeme.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/writeme.yml b/.github/workflows/writeme.yml
index 865e73687e4..f346ad0d41e 100644
--- a/.github/workflows/writeme.yml
+++ b/.github/workflows/writeme.yml
@@ -11,6 +11,10 @@ on:  # yamllint disable-line rule:truthy
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # This workflow contains a single job called "build"

From baa03efad5475d9e0e7c824f2cf7f91c0808f473 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 18:06:30 -0400
Subject: [PATCH 2/6] Scope down GitHub token permissions for yaml-lint.yml

---
 .github/workflows/yaml-lint.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/yaml-lint.yml b/.github/workflows/yaml-lint.yml
index cf767fa774e..4a10e9ac420 100644
--- a/.github/workflows/yaml-lint.yml
+++ b/.github/workflows/yaml-lint.yml
@@ -4,6 +4,10 @@ on:  # yamllint disable-line rule:truthy
   pull_request:
   workflow_dispatch:
 
+
+permissions:
+  contents: read
+
 jobs:
   yamllint:
     name: Lint Yaml

From 22cdcb9076e2f75afd7cc33c0b5258750ac2bec0 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 18:06:34 -0400
Subject: [PATCH 3/6] Scope down GitHub token permissions for lint-php.yml

---
 .github/workflows/lint-php.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/lint-php.yml b/.github/workflows/lint-php.yml
index 1d27aeae209..95af1892080 100644
--- a/.github/workflows/lint-php.yml
+++ b/.github/workflows/lint-php.yml
@@ -8,6 +8,10 @@ on:  # yamllint disable-line rule:truthy
       - ".github/linters/phpcs.xml"
       - ".github/workflows/php-lint.yml"
 
+
+permissions:
+  contents: read
+
 jobs:
   phpcs:
     name: "PHP Linter"

From fb29a42d69676f34afd987a0a0d67f361bf9f770 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 18:06:41 -0400
Subject: [PATCH 4/6] Scope down GitHub token permissions for lint-ruby.yml

---
 .github/workflows/lint-ruby.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/lint-ruby.yml b/.github/workflows/lint-ruby.yml
index b8ef856ea5f..1a1f99d0a26 100644
--- a/.github/workflows/lint-ruby.yml
+++ b/.github/workflows/lint-ruby.yml
@@ -4,6 +4,10 @@ on:  # yamllint disable-line rule:truthy
   pull_request:
   workflow_dispatch:
 
+
+permissions:
+  contents: read
+
 jobs:
   rubocop:
     name: RuboCop

From e8bb6f2af1c5847778032a50ea964867849c8860 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 18:06:56 -0400
Subject: [PATCH 5/6] Scope down GitHub token permissions for lint-kotlin.yml

---
 .github/workflows/lint-kotlin.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/lint-kotlin.yml b/.github/workflows/lint-kotlin.yml
index 8e0c59a2cb8..376965509b5 100644
--- a/.github/workflows/lint-kotlin.yml
+++ b/.github/workflows/lint-kotlin.yml
@@ -4,6 +4,10 @@ on:  # yamllint disable-line rule:truthy
   workflow_dispatch:
   pull_request:
 
+
+permissions:
+  contents: read
+
 jobs:
   ktlint:
     name: Lint Kotlin

From 2d5da3c91c03435f28358ea1e80bdbb1742fc484 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 18:07:01 -0400
Subject: [PATCH 6/6] Scope down GitHub token permissions for
 lint-javascript.yml

---
 .github/workflows/lint-javascript.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/lint-javascript.yml b/.github/workflows/lint-javascript.yml
index c075f495269..e5bd61784f9 100644
--- a/.github/workflows/lint-javascript.yml
+++ b/.github/workflows/lint-javascript.yml
@@ -4,6 +4,10 @@ on:  # yamllint disable-line rule:truthy
   pull_request:
   workflow_dispatch:
 
+
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint Javascript