fix: lock down permissions

Author: gilescope

.markdownlint.yml .github/linters/.markdown-lint.yml.markdownlint.yml renamed to .github/linters/.markdown-lint.yml

@@ -1,5 +1,11 @@
 name: Checkmarx One Scan
 
+# ↓ lock down top‐level permissions to only what we use
+permissions:
+  contents: read             # we only need to checkout code
+  actions: read              # to query workflows/runs
+  pull-requests: write       # to comment on or label PRs
+
 on:
   pull_request:
     branches: [ '**' ]

.github/workflows/checkmarx.yaml

@@ -8,10 +8,9 @@ permissions:
 # Run on pushes to any branch and pull requests
 on:
   push:
-    branches: ['main']
+    branches-ignore: ['main']
   pull_request:
-    branches: ['**']
-
+    branches: ['main']
 jobs:
   # Lint all YAML, JSON & Shell
   lint: