From 51283bd912fae92f1c4982511c9c67b92444e0e6 Mon Sep 17 00:00:00 2001
From: Eric Wyles <23637493+ericwyles@users.noreply.github.com>
Date: Wed, 16 Oct 2024 14:16:43 -0500
Subject: [PATCH 1/2] chore: fix test workflow permissions

---
 .github/workflows/test.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 4d4dbf0..3f16bda 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -26,6 +26,12 @@ on:
       - CONTRIBUTING.md
       - SECURITY.md
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+  packages: read # Allows reading the content of the repository's packages.
+  id-token: write
+
 # Abort prior jobs in the same workflow / PR
 concurrency:
   group: test-${{ github.ref }}

From 0f450729b671cd84c1c35100f9f85c540ef65bcc Mon Sep 17 00:00:00 2001
From: Eric Wyles <23637493+ericwyles@users.noreply.github.com>
Date: Wed, 16 Oct 2024 14:30:32 -0500
Subject: [PATCH 2/2] more workflow permissoins

---
 .github/workflows/ci-docs-shim.yaml | 4 ++++
 .github/workflows/commitlint.yaml   | 4 ++++
 .github/workflows/lint.yaml         | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/ci-docs-shim.yaml b/.github/workflows/ci-docs-shim.yaml
index 080db8b..2b4f7f4 100644
--- a/.github/workflows/ci-docs-shim.yaml
+++ b/.github/workflows/ci-docs-shim.yaml
@@ -8,6 +8,10 @@ on:
     branches: [main]
     types: [milestoned, opened, synchronize]
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+
 jobs:
   validate:
     strategy:
diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml
index 90a8315..50fe1a5 100644
--- a/.github/workflows/commitlint.yaml
+++ b/.github/workflows/commitlint.yaml
@@ -8,6 +8,10 @@ on:
     branches: [main]
     types: [milestoned, opened, edited, synchronize]
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+
 jobs:
   validate:
     uses: defenseunicorns/uds-common/.github/workflows/callable-commitlint.yaml@f0164622ffc2007e96a0e1deaa3f5064db04b148 # v1.1.0
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 4c67d49..e3994e6 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -3,6 +3,10 @@
 
 name: Lint
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+
 on:
   # This workflow is triggered on pull requests to the main branch.
   pull_request: