frasermolyneux · frasermolyneux · Feb 7, 2026 · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -7,16 +7,18 @@ on:
       - "bugfix/**"
       - "hotfix/**"
 
-permissions:
-  contents: read
+permissions: read-all
+
 
 jobs:
   build-and-test:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: frasermolyneux/actions/dotnet-ci@dotnet-ci/v1.1
         with:
           dotnet-version: |
             9.0.x
             10.0.x
-          src-folder: "src"
+          src-folder: "src"
diff --git a/.github/workflows/codequality.yml b/.github/workflows/codequality.yml
@@ -11,13 +11,15 @@ on:
       - main
     types: [opened, synchronize, reopened, ready_for_review]
 
-permissions:
-  contents: read
-  actions: read
-  security-events: write
+permissions: read-all
+
 
 jobs:
   quality:
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
     uses: frasermolyneux/actions/.github/workflows/codequality.yml@main
     with:
       sonar-project-key: frasermolyneux_api-client-abstractions
@@ -31,14 +33,22 @@ jobs:
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
+  devops-secure-scanning:
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
+    uses: frasermolyneux/actions/.github/workflows/devops-secure-scanning.yml@main
+
   dependency-review:
-    if: github.event_name == 'pull_request'
-    runs-on: ubuntu-latest
     permissions:
       contents: read
       pull-requests: read
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
       - name: Dependency Review
         uses: actions/dependency-review-action@v4
+
diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
@@ -11,6 +11,8 @@ on:
     paths:
       - .github/workflows/copilot-setup-steps.yml
 
+permissions: read-all
+
 jobs:
   # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
   copilot-setup-steps:

diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
@@ -1,12 +1,15 @@
 name: Dependabot Auto-Merge
 on: pull_request
 
-permissions:
-  contents: write
-  pull-requests: write
+
+permissions: read-all
+
 
 jobs:
   dependabot:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:
@@ -19,4 +22,4 @@ jobs:
       run: gh pr merge --auto --merge "$PR_URL"
       env:
         PR_URL: ${{github.event.pull_request.html_url}}
-        GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+        GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/pr-verify.yml b/.github/workflows/pr-verify.yml
@@ -6,11 +6,13 @@ on:
       - main
     types: [opened, synchronize, reopened, ready_for_review]
 
-permissions:
-  contents: read
+permissions: read-all
+
 
 jobs:
   build-and-test:
+    permissions:
+      contents: read
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
     steps:
@@ -19,4 +21,4 @@ jobs:
           dotnet-version: |
             9.0.x
             10.0.x
-          src-folder: "src"
+          src-folder: "src"
diff --git a/.github/workflows/release-publish-nuget.yml b/.github/workflows/release-publish-nuget.yml
@@ -7,12 +7,15 @@ on:
     types:
       - completed
 
-permissions:
-  contents: write
-  actions: read
+
+permissions: read-all
+
 
 jobs:
   publish-nuget-packages:
+    permissions:
+      contents: write
+      actions: read
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     environment: NuGet
     runs-on: ubuntu-latest
@@ -61,4 +64,4 @@ jobs:
         skipIfReleaseExists: true
         artifacts: nuget-packages/**/*.nupkg
         artifactErrorsFailBuild: false
-        token: ${{ secrets.GITHUB_TOKEN }}
+        token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release-version-and-tag.yml b/.github/workflows/release-version-and-tag.yml
@@ -8,11 +8,14 @@ on:
     paths:
       - 'src/**'
 
-permissions:
-  contents: read
+
+permissions: read-all
+
 
 jobs:
   calculate-version:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     outputs:
       semver: ${{ steps.capture_version.outputs.semver }}
@@ -74,6 +77,8 @@ jobs:
           "tag_name=$tagName" | Out-File -FilePath $Env:GITHUB_OUTPUT -Encoding utf8 -Append
 
   dotnet-ci:
+    permissions:
+      contents: read
     needs: calculate-version
     runs-on: ubuntu-latest
     env:
@@ -88,13 +93,13 @@ jobs:
           src-folder: "src"
 
   tag-release:
+    permissions:
+      contents: write
     needs:
       - calculate-version
       - dotnet-ci
     if: needs.calculate-version.outputs.should_tag == 'true'
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
 
     steps:
       - name: Checkout repository
@@ -112,4 +117,4 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         shell: pwsh
         run: |
-          git push origin ${{ needs.calculate-version.outputs.tag_name }}
+          git push origin ${{ needs.calculate-version.outputs.tag_name }}