From 114db17898f942cff6529c4ac1075e66f8e3b5fe Mon Sep 17 00:00:00 2001
From: Robert Sirchia <rsirchia@outlook.com>
Date: Fri, 13 Sep 2024 16:24:36 -0400
Subject: [PATCH 1/3] adding top-level permissions

Signed-off-by: Robert Sirchia <rsirchia@outlook.com>
---
 .github/workflows/govulncheck.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index 61af98137..c619da9f8 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -1,11 +1,13 @@
 name: govulncheck
 on:
   push:
-    paths:
-      - go.sum
+    #paths:
+    #  - go.sum
   schedule:
     - cron: "0 0 * * *"
 
+permissions: read-all
+
 jobs:
   govulncheck:
     name: govulncheck

From 62069eb7b511e7480fd16271e5f0c5ce3455a3c6 Mon Sep 17 00:00:00 2001
From: Robert Sirchia <rsirchia@outlook.com>
Date: Fri, 13 Sep 2024 16:27:53 -0400
Subject: [PATCH 2/3] removing testing trigger from govulncheck action

Signed-off-by: Robert Sirchia <rsirchia@outlook.com>
---
 .github/workflows/govulncheck.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index c619da9f8..f2ef39ea0 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -1,8 +1,8 @@
 name: govulncheck
 on:
   push:
-    #paths:
-    #  - go.sum
+    paths:
+      - go.sum
   schedule:
     - cron: "0 0 * * *"
 

From a8750f4ce991b0aa3e40116091171afa5d359fed Mon Sep 17 00:00:00 2001
From: Robert Sirchia <rsirchia@outlook.com>
Date: Tue, 24 Sep 2024 10:14:38 -0400
Subject: [PATCH 3/3] adding toplevel permissions to workflows missing them

Signed-off-by: Robert Sirchia <rsirchia@outlook.com>
---
 .github/workflows/release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 29c1f3098..e8fdaaa51 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,8 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 # Note the only differences between release and canary-release jobs are:
 # - only canary passes --overwrite flag
 # - the VERSION make variable passed to 'make dist checksum' is expected to