From b483c6d39f2f12375f28ca65c1db72b581ae7555 Mon Sep 17 00:00:00 2001
From: Panagiotis Siatras <azazeal@users.noreply.github.com>
Date: Wed, 20 May 2026 14:50:26 +0300
Subject: [PATCH 1/3] gh: aligned workflow permissions with
 smallstep/workflows#324

---
 .github/workflows/ci.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 518318d..5ef1d9a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,6 +11,10 @@ on:
 
 jobs:
   ci:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: smallstep/workflows/.github/workflows/goCI.yml@main
     with:
       only-latest-golang: false

From e02a78ccd2323771d7e4b4aefc47171839f75b5a Mon Sep 17 00:00:00 2001
From: Panagiotis Siatras <azazeal@users.noreply.github.com>
Date: Wed, 20 May 2026 15:34:56 +0300
Subject: [PATCH 2/3] gh: aligned code-scan-cron permissions with
 smallstep/workflows#324

---
 .github/workflows/code-scan-cron.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/code-scan-cron.yml b/.github/workflows/code-scan-cron.yml
index 342b1db..38e8a51 100644
--- a/.github/workflows/code-scan-cron.yml
+++ b/.github/workflows/code-scan-cron.yml
@@ -4,6 +4,10 @@ on:
 
 jobs:
   code-scan:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: smallstep/workflows/.github/workflows/code-scan.yml@main
     secrets:
       GITLEAKS_LICENSE_KEY: ${{ secrets.GITLEAKS_LICENSE_KEY }}

From 5175d27be065c3037c9cf35fc424b03b6791b3fa Mon Sep 17 00:00:00 2001
From: Panagiotis Siatras <azazeal@users.noreply.github.com>
Date: Wed, 20 May 2026 16:28:39 +0300
Subject: [PATCH 3/3] gh: forwarded codeql secrets through code-scan-cron.yml

---
 .github/workflows/code-scan-cron.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/code-scan-cron.yml b/.github/workflows/code-scan-cron.yml
index 38e8a51..c0388a3 100644
--- a/.github/workflows/code-scan-cron.yml
+++ b/.github/workflows/code-scan-cron.yml
@@ -9,5 +9,4 @@ jobs:
       contents: read
       security-events: write
     uses: smallstep/workflows/.github/workflows/code-scan.yml@main
-    secrets:
-      GITLEAKS_LICENSE_KEY: ${{ secrets.GITLEAKS_LICENSE_KEY }}
+    secrets: inherit