From aa206dfe0fa953e956736f3fdf95e58a56d4566e Mon Sep 17 00:00:00 2001
From: Stephen Morgan <stephen@doublethink.co.nz>
Date: Thu, 10 Apr 2025 17:26:41 +1200
Subject: [PATCH] ci: explicit permissions and remove pull_request_target

---
 .github/workflows/ci.yml                   | 3 +++
 .github/workflows/conventional-commits.yml | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 284658ba..8c586367 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,6 +13,9 @@ concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   xcodebuild-latest:
     name: xcodebuild (16)
diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml
index f9902d95..667b8f2b 100644
--- a/.github/workflows/conventional-commits.yml
+++ b/.github/workflows/conventional-commits.yml
@@ -2,12 +2,16 @@
 name: 'PR Title is Conventional'
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - edited
       - synchronize
 
+permissions:
+  pull-requests: write
+  contents: read
+
 jobs:
   main:
     name: Validate PR title