From bdf647c55b0ed59d8166c5d44d4b50fcb03a7a3b Mon Sep 17 00:00:00 2001
From: Karthikeyan Padaikathu <kartykp@github.com>
Date: Wed, 14 Jan 2026 15:07:02 -0800
Subject: [PATCH 1/2] fix: add top-level permissions to workflow files

---
 .github/workflows/codeql-analysis.yml | 4 ++++
 .github/workflows/deploy.yml          | 3 +++
 .github/workflows/test.yml            | 4 ++++
 3 files changed, 11 insertions(+)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 7dc838c..d44efdc 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -18,6 +18,10 @@ on:
     # The branches below must be a subset of the branches above
     branches: [ master ]
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index c2c2882..83bb661 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - deploy-**
+permissions:
+  contents: read
+  deployments: write
 
 jobs:
   deploy:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 9404060..2450215 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,4 +1,8 @@
 name: "build-test"
+
+permissions:
+  contents: read
+
 on: # rebuild any PRs and main branch changes
   pull_request:
   push:

From 8b5e71e588cb0360a66a72084f1a95f2877c61a9 Mon Sep 17 00:00:00 2001
From: Karthikeyan Padaikathu <kartykp@github.com>
Date: Wed, 14 Jan 2026 15:12:55 -0800
Subject: [PATCH 2/2] fix: add deployments write permission to test workflow

---
 .github/workflows/test.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 2450215..f364e40 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -2,6 +2,7 @@ name: "build-test"
 
 permissions:
   contents: read
+  deployments: write
 
 on: # rebuild any PRs and main branch changes
   pull_request: