From 4d64b6bad37a3efa63a9001c6d0203364a93ccb0 Mon Sep 17 00:00:00 2001
From: Joseph-Percival-ONS <joseph.percival@ons.gov.uk>
Date: Fri, 14 Nov 2025 15:57:46 +0000
Subject: [PATCH] implement code scanning autofixes

---
 .github/workflows/ci.yml             | 2 ++
 .github/workflows/rename-project.yml | 4 ++--
 .github/workflows/security-scan.yml  | 2 ++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index db24e01..a1107f2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,7 @@
 ---
 name: CI
+permissions: 
+  contents: read
 
 on: # yamllint disable-line rule:truthy
   push:
diff --git a/.github/workflows/rename-project.yml b/.github/workflows/rename-project.yml
index c5e131e..ac1dc50 100644
--- a/.github/workflows/rename-project.yml
+++ b/.github/workflows/rename-project.yml
@@ -27,7 +27,7 @@ jobs:
           # by default, it uses a depth of 1
           # this fetches all history so that we can read each commit
           fetch-depth: 0
-          ref: ${{ github.head_ref }}
+          ref: ${{ github.ref }}
 
       - name: Check Repository is not a Template
         uses: actions/github-script@v8
@@ -109,7 +109,7 @@ jobs:
 
       - name: Create Pull Request
         if: env.is_template == 'false' && env.needs_renaming == 'true'
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7 sha
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Ready to clone and use template
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 3b6d355..5f20652 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -1,5 +1,7 @@
 ---
 name: Security Scan
+permissions: 
+  contents: read
 
 on: # yamllint disable-line rule:truthy
   push: