From 0419bf5ea54e4c991fcdff58531f9b84d9c6aafc Mon Sep 17 00:00:00 2001
From: Steve Boyd <emteknetnz@gmail.com>
Date: Tue, 23 Apr 2024 09:39:33 +1200
Subject: [PATCH 1/4] FIX Set contents read permissions for genmatrix job

---
 .github/workflows/ci.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 54aaa11..50072bb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -93,7 +93,10 @@ jobs:
     # gha-generate-matrix script.php will sanitise matrix outputs so they're safe to use within bash
     outputs:
       matrix: ${{ steps.generate-matrix.outputs.matrix }}
-    
+
+    permissions:
+      contents: read
+
     steps:
       - name: Generate matrix
         id: generate-matrix

From f9eb6a477fd43e6578f8d81090bd5adad7591fcd Mon Sep 17 00:00:00 2001
From: Steve Boyd <emteknetnz@gmail.com>
Date: Tue, 23 Apr 2024 09:56:35 +1200
Subject: [PATCH 2/4] FIX Set pull-request read permissions for genmatrix job

---
 .github/workflows/ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 50072bb..219cd63 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -96,6 +96,7 @@ jobs:
 
     permissions:
       contents: read
+      pull-request: read
 
     steps:
       - name: Generate matrix

From 1f71b4f5a63cb296196469c856d26b4a36f18d8b Mon Sep 17 00:00:00 2001
From: Steve Boyd <emteknetnz@gmail.com>
Date: Tue, 23 Apr 2024 10:03:13 +1200
Subject: [PATCH 3/4] FIX Use correct permission

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 219cd63..d819a7f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -96,7 +96,7 @@ jobs:
 
     permissions:
       contents: read
-      pull-request: read
+      pull-requests: read
 
     steps:
       - name: Generate matrix

From f2e19cc456b4263a1a0c29c353e016ec71cc1d38 Mon Sep 17 00:00:00 2001
From: Steve Boyd <emteknetnz@gmail.com>
Date: Tue, 23 Apr 2024 10:23:25 +1200
Subject: [PATCH 4/4] FIX Add contents read permission to tests job

---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 219cd63..89269f5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -173,6 +173,9 @@ jobs:
     outputs:
       latest_local_sha: ${{ steps.output-sha.outputs.latest_local_sha }}
 
+    permissions:
+      contents: read
+
     steps:
 
       - name: Checkout code