Merge branch 'main' into add-nginx-api-config-option

dhurley · dhurley · commit d3c1ebf846c4 · 2026-01-15T13:03:28.000Z
diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml
@@ -39,6 +39,9 @@ on:
       ARTIFACTORY_URL:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   build-assertion-document:
     name: Create Assertion Document
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -87,6 +87,7 @@ jobs:
     name: Vulnerability Scan
     uses: ./.github/workflows/vulncheck.yml
     permissions:
+      contents: read
       security-events: write
     with:
       target-branch: ${{ github.event.pull_request.base.ref || github.ref_name }}
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -55,6 +55,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml
@@ -14,6 +14,9 @@ on:
         required: false
         default: 'main'
 
+permissions:
+  contents: read
+
 jobs:
   vulncheck:
     name: Vulnerability Check
