From 65779e2e5e22aef346f944c9ad45f57c738f1b90 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 18:03:46 -0400
Subject: [PATCH 1/2] Scope down GitHub token permissions for
 validate-changelog.yml

---
 .github/workflows/validate-changelog.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/validate-changelog.yml b/.github/workflows/validate-changelog.yml
index 70315c19..d638df83 100644
--- a/.github/workflows/validate-changelog.yml
+++ b/.github/workflows/validate-changelog.yml
@@ -5,6 +5,10 @@ on:
     paths:
       - 'CHANGELOG.md'
 
+
+permissions:
+  contents: read
+
 jobs:
   validate:
     runs-on: ubuntu-latest

From 1d21cde9173910a8c5d92100761f2a3ae15b10d0 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 18:03:50 -0400
Subject: [PATCH 2/2] Scope down GitHub token permissions for build.yml

---
 .github/workflows/build.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 166b52ae..a1564c4a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -24,6 +24,10 @@ on:
       # GitHub codeowners
       - '.github/CODEOWNERS'
 
+
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.ref }}
   cancel-in-progress: true