From ff715c050dce1038a054738ce55d6e6210eb7232 Mon Sep 17 00:00:00 2001
From: Panagiotis Siatras <azazeal@users.noreply.github.com>
Date: Wed, 20 May 2026 14:47:22 +0300
Subject: [PATCH 1/2] gh: aligned workflow permissions with
 smallstep/workflows#324

---
 .github/workflows/ci.yml                    | 4 ++++
 .github/workflows/dependabot-auto-merge.yml | 3 +--
 .github/workflows/triage.yml                | 1 -
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4d28ec9f..2fb95d75 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,6 +15,10 @@ concurrency:
 
 jobs:
   ci:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: smallstep/workflows/.github/workflows/goCI.yml@main
     with:
       only-latest-golang: false
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index c0b39e0c..b145ea96 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -2,8 +2,7 @@ name: Dependabot auto-merge
 on: pull_request
 
 permissions:
-  contents: write
-  pull-requests: write
+  pull-requests: read
 
 jobs:
   dependabot-auto-merge:
diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
index 5203ce17..7a0e6325 100644
--- a/.github/workflows/triage.yml
+++ b/.github/workflows/triage.yml
@@ -11,7 +11,6 @@ on:
       - reopened
 
 permissions:
-  pull-requests: write
   issues: write
 
 jobs:

From cded0eea52c0e94b575d718c310c2327a5978538 Mon Sep 17 00:00:00 2001
From: Panagiotis Siatras <azazeal@users.noreply.github.com>
Date: Wed, 20 May 2026 16:27:27 +0300
Subject: [PATCH 2/2] gh: forwarded codeql secrets through code-scan-cron.yml

---
 .github/workflows/code-scan-cron.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/code-scan-cron.yml b/.github/workflows/code-scan-cron.yml
index 9a35b7fe..b6dee881 100644
--- a/.github/workflows/code-scan-cron.yml
+++ b/.github/workflows/code-scan-cron.yml
@@ -4,4 +4,9 @@ on:
 
 jobs:
   code-scan:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: smallstep/workflows/.github/workflows/code-scan.yml@main
+    secrets: inherit