From 7a5389e8ca1997e75d318f15a1da3db5c7b2dce6 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 17:18:23 -0400
Subject: [PATCH 1/2] ci: scope down permissions for remove-old-artifacts.yml

---
 .github/workflows/remove-old-artifacts.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/remove-old-artifacts.yml b/.github/workflows/remove-old-artifacts.yml
index 60e2408d3..0a1d96058 100644
--- a/.github/workflows/remove-old-artifacts.yml
+++ b/.github/workflows/remove-old-artifacts.yml
@@ -5,6 +5,9 @@ on:
     # Every day at 1am
     - cron: '0 1 * * *'
 
+permissions:
+  actions: write
+
 jobs:
   remove-old-artifacts:
     runs-on: ubuntu-latest

From d3bd9dc46922d8e78927b3764c54133800e7b809 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 17:18:24 -0400
Subject: [PATCH 2/2] ci: scope down permissions for main.yml

---
 .github/workflows/main.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index bb29959c7..89659835a 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -16,6 +16,9 @@ on:
       - 'ISSUE_TEMPLATE/**'
       - '**/remove-old-artifacts.yml'
 
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest