From eade515605b3cbc79382f5fc4e35b0cfe307290f Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 16:21:01 -0400
Subject: [PATCH 1/6] ci: scope down permissions for cdk-e2e.yaml

Signed-off-by: Adnan Khan <adnanek@amazon.com>
---
 .github/workflows/cdk-e2e.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/cdk-e2e.yaml b/.github/workflows/cdk-e2e.yaml
index 7d0b5afd..42db540a 100644
--- a/.github/workflows/cdk-e2e.yaml
+++ b/.github/workflows/cdk-e2e.yaml
@@ -7,6 +7,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     strategy:

From 0cdeb7d546b8fd4243c5422d92bfa245374ab305 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 16:21:03 -0400
Subject: [PATCH 2/6] ci: scope down permissions for submodulesync.yaml

Signed-off-by: Adnan Khan <adnanek@amazon.com>
---
 .github/workflows/submodulesync.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/submodulesync.yaml b/.github/workflows/submodulesync.yaml
index 8493c295..c80735dd 100644
--- a/.github/workflows/submodulesync.yaml
+++ b/.github/workflows/submodulesync.yaml
@@ -5,6 +5,10 @@ on:
     - cron: '0 9 * * 1'
   workflow_dispatch:
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   update:
     runs-on: ubuntu-latest

From dcba67e1ed61c089bcca1028581fc5c958ee1fd0 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 16:21:04 -0400
Subject: [PATCH 3/6] ci: scope down permissions for release-please.yml

Signed-off-by: Adnan Khan <adnanek@amazon.com>
---
 .github/workflows/release-please.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index f5127862..a997d8ea 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -3,6 +3,10 @@ on:
     branches:
       - main
 name: release-please
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   release-please:
     runs-on: ubuntu-latest

From 123e1ba5072ed3162355aaa99d460007b0d00012 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 16:21:06 -0400
Subject: [PATCH 4/6] ci: scope down permissions for lint-pr-title.yml

Signed-off-by: Adnan Khan <adnanek@amazon.com>
---
 .github/workflows/lint-pr-title.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml
index 87809d5c..fb36d3bb 100644
--- a/.github/workflows/lint-pr-title.yml
+++ b/.github/workflows/lint-pr-title.yml
@@ -8,6 +8,10 @@ on:
       - reopened
       - synchronize
 
+permissions:
+  pull-requests: read
+  contents: read
+
 jobs:
   main:
     name: conventional-commit

From 3cfca85fa94265c422c4cb0a04223d912bd824c2 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 16:21:08 -0400
Subject: [PATCH 5/6] ci: scope down permissions for windows-ci.yaml

Signed-off-by: Adnan Khan <adnanek@amazon.com>
---
 .github/workflows/windows-ci.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/windows-ci.yaml b/.github/workflows/windows-ci.yaml
index fb9a7e85..c6ff8e03 100644
--- a/.github/workflows/windows-ci.yaml
+++ b/.github/workflows/windows-ci.yaml
@@ -21,6 +21,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   install-dependencies:
     # This is a spot check for make install.dependencies on Windows platform.

From eb82b49f95f55d8b685eb2f101a0158ee0753515 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 16:21:10 -0400
Subject: [PATCH 6/6] ci: scope down permissions for macos-ci.yaml

Signed-off-by: Adnan Khan <adnanek@amazon.com>
---
 .github/workflows/macos-ci.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/macos-ci.yaml b/.github/workflows/macos-ci.yaml
index 44b0e15e..fa0d33d0 100644
--- a/.github/workflows/macos-ci.yaml
+++ b/.github/workflows/macos-ci.yaml
@@ -25,6 +25,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   install-dependencies:
     # This is a spot check for make install.dependencies on macOS x86/ARM platforms.