From 2ab172dabdfc1348bf918edeb18cc47523a4d637 Mon Sep 17 00:00:00 2001
From: Frazer Smith <frazer.dev@icloud.com>
Date: Mon, 31 Mar 2025 15:27:11 +0100
Subject: [PATCH 1/2] ci: set workflow permissions to read-only by default

---
 .github/workflows/check-linked-issues.yml |  6 ++++++
 .github/workflows/ci.yml                  | 10 ++++++++--
 .github/workflows/notify-release.yml      |  5 +++++
 .github/workflows/release.yml             |  7 +++++++
 4 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check-linked-issues.yml b/.github/workflows/check-linked-issues.yml
index 49e7cc59..ad377d42 100644
--- a/.github/workflows/check-linked-issues.yml
+++ b/.github/workflows/check-linked-issues.yml
@@ -4,9 +4,15 @@ on:
   pull_request_target:
     types: [opened, edited, reopened, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   check_pull_requests:
     runs-on: ubuntu-latest
+    permissions:
+        issues: read
+        pull-requests: write
     name: Check linked issues
     steps:
       - uses: nearform-actions/github-action-check-linked-issues@v1
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 91b8ca23..414ae30c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,9 +1,15 @@
 name: CI
 on:
   push:
-    branches: main
+    branches: 
+      - main
   pull_request:
-    branches: main
+    branches: 
+      - main
+
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/notify-release.yml b/.github/workflows/notify-release.yml
index a4804deb..b0096b45 100644
--- a/.github/workflows/notify-release.yml
+++ b/.github/workflows/notify-release.yml
@@ -5,9 +5,14 @@ on:
     types: [published]
   schedule:
     - cron: '30 8 * * *'
+permissions:
+  contents: read
 jobs:
   setup:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      contents: read
     steps:
       - name: Notify release
         uses: nearform-actions/github-action-notify-release@v1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9a439bae..b8067bc7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,9 +15,16 @@ on:
   pull_request:
     types: [closed]
 
+permissions:
+  contents: read
+
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
     steps:
       - name: Setting action build runtime
         uses: actions/setup-node@v4

From 51845752f53eb1816e3f2292a0d20c57f2812842 Mon Sep 17 00:00:00 2001
From: Frazer Smith <frazer.dev@icloud.com>
Date: Tue, 1 Apr 2025 16:35:04 +0100
Subject: [PATCH 2/2] ci: use latest node version

---
 .github/workflows/ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 414ae30c..a4a2cd7b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,6 +17,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
+          check-latest: true
           node-version-file: '.nvmrc'
       - run: npm ci
       - run: npm run lint