From aab34db4de7b921fabe8b3181bdf3dfb8ea6838e Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 22:44:08 -0400
Subject: [PATCH 1/3] Scope down GitHub token permissions for npm-publish.yml

---
 .github/workflows/npm-publish.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 5f2bef1..84d7856 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -3,6 +3,10 @@ name: Node.js Package
 on:
   release:
     types: [released]
+
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

From ae1da703456b5e17e4e7b092202f34cb2c1236fe Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 22:44:13 -0400
Subject: [PATCH 2/3] Scope down GitHub token permissions for pull-request.yml

---
 .github/workflows/pull-request.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index ce833c5..710b851 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -3,6 +3,11 @@ name: Run build/tests/lint on pull requests
 on:
   pull_request:
 
+
+permissions:
+  contents: read
+  security-events: write
+
 # By default the karma test runners use the karma 'Chrome' runner
 # This is great when running locally because the browser pops up and you get to see what it does
 # This doesn't work in Actions, however, so we set this env var to force the Headless runner

From b63df8ab59d576b62eb709a986008e295c3e05a8 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Mon, 20 Oct 2025 22:44:18 -0400
Subject: [PATCH 3/3] Scope down GitHub token permissions for
 push-mainline-to-github-pages.yml

---
 .github/workflows/push-mainline-to-github-pages.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/push-mainline-to-github-pages.yml b/.github/workflows/push-mainline-to-github-pages.yml
index 426a571..5c715de 100644
--- a/.github/workflows/push-mainline-to-github-pages.yml
+++ b/.github/workflows/push-mainline-to-github-pages.yml
@@ -8,6 +8,10 @@ on:
   push:
     branches: [mainline2.0]
 
+
+permissions:
+  contents: write
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   push_to_gh-pages_branch: