From 5bb2b4678a87a09aacde1faadc60bd84205ec22b Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 15:37:33 -0400
Subject: [PATCH 1/2] ci: scope down permissions for update_snapshot.yml

---
 .github/workflows/update_snapshot.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/update_snapshot.yml b/.github/workflows/update_snapshot.yml
index 4861005..462e446 100644
--- a/.github/workflows/update_snapshot.yml
+++ b/.github/workflows/update_snapshot.yml
@@ -6,6 +6,9 @@ on:
     branches:
        - 'dependabot/**'
 
+permissions:
+  contents: write
+
 jobs:
   update:
     runs-on: ubuntu-latest

From e05e4ed9756e264df508efbf29872e393c8031ce Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 21 Oct 2025 15:37:35 -0400
Subject: [PATCH 2/2] ci: scope down permissions for build.yml

---
 .github/workflows/build.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 185fd6d..3ebc7ad 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,6 +5,9 @@ on:
     - main
   workflow_dispatch:
   pull_request:
+permissions:
+  contents: read
+
 jobs:
   Build-and-Test-CDK:
     runs-on: ubuntu-latest