From 8596b0287dd3efdc6e653d0f9cf34ab83adf5b7a Mon Sep 17 00:00:00 2001
From: Cyrill Berg <cyrill.berg@opendefense.cloud>
Date: Fri, 8 May 2026 14:33:49 +0200
Subject: [PATCH 1/2] ci: add permissions declaration for Docker image build
 workflow

Signed-off-by: Cyrill Berg <cyrill.berg@opendefense.cloud>
---
 .github/workflows/docker.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index 8c5cbeb..02ceb18 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -1,5 +1,7 @@
 name: Build/Publish Docker Image
 
+permissions: read-all
+
 on:
   release:
     types:

From c8f8bd49f0363ebaf6fd9be4916be85e3de1c017 Mon Sep 17 00:00:00 2001
From: Cyrill Berg <cyrill.berg@opendefense.cloud>
Date: Fri, 8 May 2026 14:46:37 +0200
Subject: [PATCH 2/2] ci: scope osv-scanner permissions to job level and add
 helm-publish top-level permissions

Signed-off-by: Cyrill Berg <cyrill.berg@opendefense.cloud>
---
 .github/workflows/helm-publish.yaml |  2 ++
 .github/workflows/osv-scanner.yml   | 10 ++++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/helm-publish.yaml b/.github/workflows/helm-publish.yaml
index 12f7b77..34d76cb 100644
--- a/.github/workflows/helm-publish.yaml
+++ b/.github/workflows/helm-publish.yaml
@@ -1,5 +1,7 @@
 name: Publish Helm Chart
 
+permissions: read-all
+
 on:
   release:
     types:
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
index 081ee5d..4f48580 100644
--- a/.github/workflows/osv-scanner.yml
+++ b/.github/workflows/osv-scanner.yml
@@ -11,12 +11,14 @@ on:
     branches: ["main"]
 
 permissions:
-  actions: read
-  security-events: write
   contents: read
 
 jobs:
   scan-scheduled:
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
     if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
     with:
@@ -26,6 +28,10 @@ jobs:
         -r
         ./
   scan-pr:
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
     with: