From aa01a0fac80a444f4f56882ea2b574c7c5adc8e8 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:13:47 -0400 Subject: [PATCH 1/6] ci: scope down permissions for repo-sync.yml --- .github/workflows/repo-sync.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml index e3776d399..cf250b944 100644 --- a/.github/workflows/repo-sync.yml +++ b/.github/workflows/repo-sync.yml @@ -3,6 +3,10 @@ name: Repo Sync on: workflow_dispatch: # allows triggering this manually through the Actions UI +permissions: + contents: write + pull-requests: write + jobs: repo-sync: name: Repo Sync From 07952070d13e5fbd647ef1be85ba207d5b6d399b Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:13:49 -0400 Subject: [PATCH 2/6] ci: scope down permissions for daily_ci.yml --- .github/workflows/daily_ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/daily_ci.yml b/.github/workflows/daily_ci.yml index a5c5ddc02..9a38443ff 100644 --- a/.github/workflows/daily_ci.yml +++ b/.github/workflows/daily_ci.yml @@ -5,6 +5,9 @@ on: schedule: - cron: "00 15 * * 1-5" +permissions: + contents: read + jobs: codebuild_batch: # Don't run the cron builds on forks From ec1b2410476ec9b28c7d39396f324579305b6954 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:13:51 -0400 Subject: [PATCH 3/6] ci: scope down permissions for ci_test-vector-handler.yaml --- .github/workflows/ci_test-vector-handler.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci_test-vector-handler.yaml b/.github/workflows/ci_test-vector-handler.yaml index 433f805f8..493b33f72 100644 --- a/.github/workflows/ci_test-vector-handler.yaml +++ b/.github/workflows/ci_test-vector-handler.yaml @@ -9,6 +9,9 @@ on: INTEG_AWS_SECRET_ACCESS_KEY: required: true +permissions: + contents: read + jobs: tests: # Leaving this defined but disabled From 92e6056ff3c7756430c43556d34c0e71bbb3e807 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:13:53 -0400 Subject: [PATCH 4/6] ci: scope down permissions for ci_decrypt-oracle.yaml --- .github/workflows/ci_decrypt-oracle.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci_decrypt-oracle.yaml b/.github/workflows/ci_decrypt-oracle.yaml index 131beb1a7..c56e43a63 100644 --- a/.github/workflows/ci_decrypt-oracle.yaml +++ b/.github/workflows/ci_decrypt-oracle.yaml @@ -3,6 +3,9 @@ name: Continuous Integration tests for the decrypt oracle on: workflow_call: +permissions: + contents: read + jobs: tests: runs-on: ubuntu-latest From 02f56234349ce72694bc92962f0003af3178d4ad Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:13:55 -0400 Subject: [PATCH 5/6] ci: scope down permissions for ci_tests.yaml --- .github/workflows/ci_tests.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index acb0b9b33..65dd80c5d 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -13,6 +13,9 @@ env: AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: | arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 +permissions: + contents: read + jobs: tests: runs-on: ${{ matrix.os }} From 13182eafb751861816e83f84d4e3911430e4cca4 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:13:57 -0400 Subject: [PATCH 6/6] ci: scope down permissions for ci_static-analysis.yaml --- .github/workflows/ci_static-analysis.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci_static-analysis.yaml b/.github/workflows/ci_static-analysis.yaml index fe5f44b7c..37a5e0cf3 100644 --- a/.github/workflows/ci_static-analysis.yaml +++ b/.github/workflows/ci_static-analysis.yaml @@ -3,6 +3,9 @@ name: Static analysis checks on: workflow_call: +permissions: + contents: read + jobs: analysis: runs-on: ubuntu-latest