From e73113145c5e8dab90f2ea20b841cf37e9b93f10 Mon Sep 17 00:00:00 2001
From: Philipp Page <pagejep@amazon.com>
Date: Tue, 27 Jan 2026 15:35:15 +0100
Subject: [PATCH 1/2] fix(ci): harden GitHub Actions workflow permissions

---
 .github/workflows/build-docs.yml              |  6 ++++--
 .github/workflows/check-pmd.yml               |  8 +++-----
 .github/workflows/release-drafter.yml         |  7 ++++---
 .github/workflows/release.yml                 | 20 +++++++++++--------
 .github/workflows/security-scorecard.yml      |  7 ++++---
 .../demo/kafka/protobuf/ProtobufProduct.java  |  4 ++--
 .../protobuf/ProtobufProductOrBuilder.java    |  2 +-
 .../protobuf/ProtobufProductOuterClass.java   |  4 ++--
 8 files changed, 32 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml
index fbe7ec659..deadf289a 100644
--- a/.github/workflows/build-docs.yml
+++ b/.github/workflows/build-docs.yml
@@ -23,12 +23,14 @@ on:
 name: Build Latest Docs
 run-name: Build Latest Docs - ${{ inputs.version }}
 
+permissions: {}
+
 jobs:
   docs:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      id-token: write
+      contents: read   # checkout repository
+      id-token: write  # OIDC for AWS credentials
     environment: Docs
     steps:
       - name: Checkout Repository
diff --git a/.github/workflows/check-pmd.yml b/.github/workflows/check-pmd.yml
index 78b872744..cc6c53766 100644
--- a/.github/workflows/check-pmd.yml
+++ b/.github/workflows/check-pmd.yml
@@ -18,15 +18,13 @@ on:
 name: PMD
 run-name: PMD - ${{ github.event_name }}
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   pmd_analyse:
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      id-token: write
+      contents: read  # checkout repository
     steps:
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -39,4 +37,4 @@ jobs:
       - uses: pmd/pmd-github-action@d9c1f3c5940cbf5923f1354e83fa858b4496ebaa # v2.0.0
         with:
           rulesets: '.github/pmd-ruleset.xml'
-          token: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index 71416342e..9ef7426f9 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -14,14 +14,15 @@ on:
 name: Release Drafter
 run-name: Release Drafter
 
+permissions: {}
+
 jobs:
   update_release:
     runs-on: ubuntu-latest  
     permissions:
-      contents: write
-      id-token: write
+      contents: write  # required for creating draft releases
     steps:
       - name: Relase Drafter
         uses: release-drafter/release-drafter@6db134d15f3909ccc9eefd369f02bd1e9cffdf97
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b71237ae3..e1a35a4ac 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -55,8 +55,7 @@ on:
 name: Release
 run-name: Release – ${{ inputs.version }}
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   RELEASE_COMMIT: ${{ github.sha }}
@@ -98,6 +97,8 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - setup
+    permissions:
+      contents: read  # checkout repository
     outputs:
       source_hash: ${{ steps.upload_source.outputs.artifact-digest }}
     steps:
@@ -128,8 +129,7 @@ jobs:
       - version_seal
     if: ${{ inputs.skip_checks == false }}
     permissions:
-      contents: write
-      id-token: write
+      contents: read  # checkout and run tests
     steps:
       - id: download_source
         name: Download artifacts
@@ -162,6 +162,8 @@ jobs:
       - quality
       - version_seal
     if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
+    permissions:
+      contents: read  # download artifacts
     strategy:
       matrix:
         java: ${{ fromJson(needs.setup.outputs.build_matrix) }}
@@ -187,6 +189,8 @@ jobs:
     if: ${{ github.repository == 'aws-powertools/powertools-lambda-java' && inputs.skip_publish == false && always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
     needs:
       - build
+    permissions:
+      contents: read  # download artifacts
     environment: Release
     steps:
       - id: download_source
@@ -219,8 +223,8 @@ jobs:
       - build
       - publish
     permissions:
-      pull-requests: write
-      contents: write
+      contents: write      # create tag and branch
+      pull-requests: write # create PR
     steps:
       - id: checkout
         name: Checkout repository
@@ -266,8 +270,8 @@ jobs:
     needs:
       - create_pr
     permissions:
-      contents: read
-      id-token: write
+      contents: read   # checkout repository
+      id-token: write  # OIDC for AWS credentials
     environment: Docs
     steps:
       - id: checkout
diff --git a/.github/workflows/security-scorecard.yml b/.github/workflows/security-scorecard.yml
index 019de1435..e98c97662 100644
--- a/.github/workflows/security-scorecard.yml
+++ b/.github/workflows/security-scorecard.yml
@@ -23,7 +23,7 @@ on:
 name: OpenSSF Scorecard
 run-name: OpenSSF Scorecard
 
-permissions: read-all
+permissions: {}
 
 jobs:
   analysis:
@@ -31,8 +31,9 @@ jobs:
     runs-on: ubuntu-latest
     environment: Security
     permissions:
-      security-events: write  
-      id-token: write
+      contents: read        # checkout repository
+      security-events: write  # upload SARIF results
+      id-token: write       # OIDC authentication
     steps:
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProduct.java b/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProduct.java
index 2bf5db844..196c0fa52 100644
--- a/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProduct.java
+++ b/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProduct.java
@@ -1,7 +1,7 @@
 // Generated by the protocol buffer compiler.  DO NOT EDIT!
 // NO CHECKED-IN PROTOBUF GENCODE
 // source: ProtobufProduct.proto
-// Protobuf Java Version: 4.33.1
+// Protobuf Java Version: 4.33.2
 
 package org.demo.kafka.protobuf;
 
@@ -19,7 +19,7 @@ public final class ProtobufProduct extends
       com.google.protobuf.RuntimeVersion.RuntimeDomain.PUBLIC,
       /* major= */ 4,
       /* minor= */ 33,
-      /* patch= */ 1,
+      /* patch= */ 2,
       /* suffix= */ "",
       "ProtobufProduct");
   }
diff --git a/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProductOrBuilder.java b/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProductOrBuilder.java
index caf17ad50..714a2c110 100644
--- a/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProductOrBuilder.java
+++ b/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProductOrBuilder.java
@@ -1,7 +1,7 @@
 // Generated by the protocol buffer compiler.  DO NOT EDIT!
 // NO CHECKED-IN PROTOBUF GENCODE
 // source: ProtobufProduct.proto
-// Protobuf Java Version: 4.33.1
+// Protobuf Java Version: 4.33.2
 
 package org.demo.kafka.protobuf;
 
diff --git a/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProductOuterClass.java b/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProductOuterClass.java
index ce3214777..abefa922f 100644
--- a/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProductOuterClass.java
+++ b/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProductOuterClass.java
@@ -1,7 +1,7 @@
 // Generated by the protocol buffer compiler.  DO NOT EDIT!
 // NO CHECKED-IN PROTOBUF GENCODE
 // source: ProtobufProduct.proto
-// Protobuf Java Version: 4.33.1
+// Protobuf Java Version: 4.33.2
 
 package org.demo.kafka.protobuf;
 
@@ -13,7 +13,7 @@ private ProtobufProductOuterClass() {}
       com.google.protobuf.RuntimeVersion.RuntimeDomain.PUBLIC,
       /* major= */ 4,
       /* minor= */ 33,
-      /* patch= */ 1,
+      /* patch= */ 2,
       /* suffix= */ "",
       "ProtobufProductOuterClass");
   }

From d8d5237ab3eccf5f89898948ffa686fbaee8281c Mon Sep 17 00:00:00 2001
From: Philipp Page <pagejep@amazon.com>
Date: Tue, 27 Jan 2026 15:35:15 +0100
Subject: [PATCH 2/2] fix(ci): harden GitHub Actions workflow permissions

---
 .github/workflows/security-dependencies-check.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/security-dependencies-check.yml b/.github/workflows/security-dependencies-check.yml
index bbf53db8a..31f7491a2 100644
--- a/.github/workflows/security-dependencies-check.yml
+++ b/.github/workflows/security-dependencies-check.yml
@@ -13,15 +13,14 @@ on:
 name: Verify Dependencies
 run-name: Verify Dependencies – ${{ github.event_name }}
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   verify:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      pull-requests: write
+      contents: read       # checkout repository and read dependency snapshots
+      pull-requests: write # post review comments
     steps:
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2