From 7f0222c4a3c11198c200cea5dc49cbe0dc910b72 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 13:16:48 -0400
Subject: [PATCH 1/4] ci: scope down permissions for pull_request.yml

---
 .github/workflows/pull_request.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 00ddf0d97..570f7b4af 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -11,6 +11,9 @@ concurrency:
   group: environment-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-latest-aurora-run-community-tests:
     name: 'Run Community Tests'

From 764ac4c37f4108a35e132e863f9faa2a69966de0 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 13:16:50 -0400
Subject: [PATCH 2/4] ci: scope down permissions for maven_snapshot.yml

---
 .github/workflows/maven_snapshot.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/maven_snapshot.yml b/.github/workflows/maven_snapshot.yml
index 998b1f913..77e6a87fb 100644
--- a/.github/workflows/maven_snapshot.yml
+++ b/.github/workflows/maven_snapshot.yml
@@ -6,6 +6,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-latest-aurora-snapshot-to-maven:
     name: 'Build And Upload Snapshot to Maven'

From b09657e347c3cb73c9a7ecb1f1cade129aa0f133 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 13:16:52 -0400
Subject: [PATCH 3/4] ci: scope down permissions for remove-old-artifacts.yml

---
 .github/workflows/remove-old-artifacts.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/remove-old-artifacts.yml b/.github/workflows/remove-old-artifacts.yml
index 11e87980b..ed9ff6836 100644
--- a/.github/workflows/remove-old-artifacts.yml
+++ b/.github/workflows/remove-old-artifacts.yml
@@ -5,6 +5,9 @@ on:
     # Every day at 1am
     - cron: '0 1 * * *'
 
+permissions:
+  actions: write
+
 jobs:
   remove-old-artifacts:
     runs-on: ubuntu-latest

From dbb38d2f1a3d471186285b3f8b4afbafc5a3e8b5 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 13:16:54 -0400
Subject: [PATCH 4/4] ci: scope down permissions for maven_release.yml

---
 .github/workflows/maven_release.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/maven_release.yml b/.github/workflows/maven_release.yml
index 492e90569..a27f14bd3 100644
--- a/.github/workflows/maven_release.yml
+++ b/.github/workflows/maven_release.yml
@@ -5,6 +5,9 @@ on:
     types:
       - published
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-latest-aurora-release-to-maven:
     name: 'Build And Release to Maven'