From 5d5b4639998dd3a2f34d826ea34470c235908861 Mon Sep 17 00:00:00 2001
From: Mathieu Benoit <mathieu-benoit@hotmail.fr>
Date: Sun, 1 Mar 2026 15:53:37 -0500
Subject: [PATCH 1/3] Update permissions in release workflow

Changed permissions for contents from write to read at the workflow level. Retained write permission for the release job.

Signed-off-by: Mathieu Benoit <mathieu-benoit@hotmail.fr>
---
 .github/workflows/release.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index e143971..e9d5ae8 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -3,10 +3,12 @@ on:
   release:
     types: [published]
 permissions:
-  contents: write
+  contents: read
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: Release

From 39f01fef6ac1ec78821305f8cdd8eb96c61eea7c Mon Sep 17 00:00:00 2001
From: Mathieu Benoit <mathieu-benoit@hotmail.fr>
Date: Sun, 1 Mar 2026 15:55:23 -0500
Subject: [PATCH 2/3] Update link checker arguments in CI workflow

Removed exclusion of Google Meet from link checker arguments.

Signed-off-by: Mathieu Benoit <mathieu-benoit@hotmail.fr>
---
 .github/workflows/ci.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index f3aa761..e48d318 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -6,6 +6,9 @@ on:
     branches: main
   pull_request: {}
 
+permissions:
+  contents: read
+
 jobs:
   linkchecker:
     runs-on: ubuntu-latest
@@ -14,8 +17,7 @@ jobs:
       - name: Link Checker
         uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2.7.0
         with:
-          # Providing default parameters plus an exclude for Google Meet which produces a network error when checked
-          args: --verbose --no-progress './**/*.md' './**/*.html' --exclude https://meet.google.com
+          args: --verbose --no-progress './**/*.md' './**/*.html'
           fail: true
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

From eb80ee4c1c049ba8c32cf506d0c014abf55cf30b Mon Sep 17 00:00:00 2001
From: Mathieu Benoit <mathieu-benoit@hotmail.fr>
Date: Sun, 1 Mar 2026 15:57:56 -0500
Subject: [PATCH 3/3] Update permissions in dependabot-auto-merge.yaml

Change permissions for Dependabot auto-merge workflow.

Signed-off-by: Mathieu Benoit <mathieu-benoit@hotmail.fr>
---
 .github/workflows/dependabot-auto-merge.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
index 3f6a2a1..5c05b7f 100644
--- a/.github/workflows/dependabot-auto-merge.yaml
+++ b/.github/workflows/dependabot-auto-merge.yaml
@@ -1,11 +1,13 @@
 name: Dependabot auto-merge
 on: pull_request
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 jobs:
   dependabot-auto-merge:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     if: ${{ github.actor == 'dependabot[bot]' && !github.event.pull_request.auto_merge }}
     steps:
       - name: Approve a PR