From 90f7bb8250ba600143e718570368d0f5a8f0331c Mon Sep 17 00:00:00 2001
From: Becky Smith <becky.smith@thedatalab.org>
Date: Wed, 11 Feb 2026 16:35:46 +0000
Subject: [PATCH 1/2] Add explicit permissions for GHA workflows

---
 .github/workflows/build_and_publish.yaml | 3 +++
 .github/workflows/tests.yaml             | 2 ++
 .github/workflows/update-ubuntu-sha.yaml | 2 ++
 3 files changed, 7 insertions(+)

diff --git a/.github/workflows/build_and_publish.yaml b/.github/workflows/build_and_publish.yaml
index 00ffc02..6607860 100644
--- a/.github/workflows/build_and_publish.yaml
+++ b/.github/workflows/build_and_publish.yaml
@@ -11,6 +11,9 @@ env:
   BASE_IMAGE_NAME: base-docker
   ACTION_IMAGE_NAME: base-action
   UBUNTU_PRO_TOKEN: ${{ secrets.UBUNTU_PRO_TOKEN }}
+permissions:
+  packages: write
+  contents: write
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index f261f27..c957ea0 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -4,6 +4,8 @@ on:
 env:
   IMAGE_NAME: base-docker
   UBUNTU_PRO_TOKEN: ${{ secrets.UBUNTU_PRO_TOKEN }}
+permissions:
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-ubuntu-sha.yaml b/.github/workflows/update-ubuntu-sha.yaml
index 0f41a2b..1e96822 100644
--- a/.github/workflows/update-ubuntu-sha.yaml
+++ b/.github/workflows/update-ubuntu-sha.yaml
@@ -10,6 +10,8 @@ on:
 env:
   BASE_IMAGE_NAME: base-docker
   ACTION_IMAGE_NAME: base-action
+permissions:
+  contents: write
 jobs:
   update:
     runs-on: ubuntu-latest

From 82366a67c332ee5fa0c7d15900ba3d2efde7077a Mon Sep 17 00:00:00 2001
From: Becky Smith <rebkwok@gmail.com>
Date: Wed, 11 Feb 2026 17:50:36 +0000
Subject: [PATCH 2/2] Update .github/workflows/build_and_publish.yaml

Co-authored-by: Simon Davy <simon.davy@thedatalab.org>
---
 .github/workflows/build_and_publish.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build_and_publish.yaml b/.github/workflows/build_and_publish.yaml
index 6607860..aeb8418 100644
--- a/.github/workflows/build_and_publish.yaml
+++ b/.github/workflows/build_and_publish.yaml
@@ -13,7 +13,7 @@ env:
   UBUNTU_PRO_TOKEN: ${{ secrets.UBUNTU_PRO_TOKEN }}
 permissions:
   packages: write
-  contents: write
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest