frasermolyneux · frasermolyneux · Feb 7, 2026 · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026
@@ -7,11 +7,13 @@ on:
       - "bugfix/**"
       - "hotfix/**"
 
-permissions:
-  contents: read
+
+permissions: read-all
 
 jobs:
   build-and-test:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: frasermolyneux/actions/dotnet-ci@dotnet-ci/v1.1

@@ -11,13 +11,15 @@ on:
       - main
     types: [opened, synchronize, reopened, ready_for_review]
 
-permissions:
-  contents: read
-  actions: read
-  security-events: write
 
+permissions: read-all
+
 jobs:
   quality:
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
     uses: frasermolyneux/actions/.github/workflows/codequality.yml@main
     with:
       sonar-project-key: frasermolyneux_portal-repository
@@ -30,3 +32,23 @@ jobs:
       src-folder: src
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  devops-secure-scanning:
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
+    uses: frasermolyneux/actions/.github/workflows/devops-secure-scanning.yml@main
+
+  dependency-review:
+    permissions:
+      contents: read
+      pull-requests: read
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+
@@ -11,6 +11,8 @@ on:
     paths:
       - .github/workflows/copilot-setup-steps.yml
 
+permissions: read-all
+
 jobs:
   # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
   copilot-setup-steps:
@@ -33,4 +35,4 @@ jobs:
         with:
             dotnet-version: |
               9.0.x
-              10.0.x-preview
+              10.0.x-preview
@@ -5,12 +5,14 @@ on:
     branches:
       - 'dependabot/**'
 
-permissions:
-  contents: write
-  pull-requests: write
+
+permissions: read-all
 
 jobs:
   dependabot:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:

@@ -3,12 +3,14 @@ name: Deploy Dev
 on:
   workflow_dispatch:
 
-permissions:
-  contents: read
-  id-token: write
+
+permissions: read-all
 
 jobs:
   build-and-test:
+    permissions:
+      contents: read
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - uses: frasermolyneux/actions/dotnet-web-ci@main
@@ -27,6 +29,9 @@ jobs:
           src-folder: "src"
 
   terraform-plan-and-apply-dev:
+    permissions:
+      contents: read
+      id-token: write
     environment: Development
     needs: build-and-test
     runs-on: ubuntu-latest
@@ -68,6 +73,9 @@ jobs:
       sql_database_name: ${{ steps.terraform-output.outputs.sql_database_name }}
 
   deploy-sql-database-dev:
+    permissions:
+      contents: read
+      id-token: write
     environment: Development
     needs: terraform-plan-and-apply-dev
     runs-on: ubuntu-latest
@@ -86,6 +94,9 @@ jobs:
           AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
   app-service-deploy-v1-dev:
+    permissions:
+      contents: read
+      id-token: write
     environment: Development
     needs: [build-and-test, terraform-plan-and-apply-dev, deploy-sql-database-dev]
     runs-on: ubuntu-latest
@@ -102,6 +113,9 @@ jobs:
           AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
   app-service-deploy-v2-dev:
+    permissions:
+      contents: read
+      id-token: write
     environment: Development
     needs: [build-and-test, terraform-plan-and-apply-dev, deploy-sql-database-dev]
     runs-on: ubuntu-latest

@@ -8,15 +8,17 @@ on:
   schedule:
     - cron: "0 3 * * 4"
 
-permissions:
-  contents: read
-  id-token: write
+
+permissions: read-all
 
 concurrency:
   group: ${{ github.workflow }}
 
 jobs:
   build-and-test:
+    permissions:
+      contents: read
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - uses: frasermolyneux/actions/dotnet-web-ci@main
@@ -35,6 +37,9 @@ jobs:
           src-folder: "src"
 
   terraform-plan-and-apply-dev:
+    permissions:
+      contents: read
+      id-token: write
     environment: Development
     needs: build-and-test
     runs-on: ubuntu-latest
@@ -76,6 +81,9 @@ jobs:
       sql_database_name: ${{ steps.terraform-output-dev.outputs.sql_database_name }}
 
   deploy-sql-database-dev:
+    permissions:
+      contents: read
+      id-token: write
     environment: Development
     needs: terraform-plan-and-apply-dev
     runs-on: ubuntu-latest
@@ -94,6 +102,9 @@ jobs:
           AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
   app-service-deploy-v1-dev:
+    permissions:
+      contents: read
+      id-token: write
     environment: Development
     needs: [build-and-test, terraform-plan-and-apply-dev, deploy-sql-database-dev]
     runs-on: ubuntu-latest
@@ -110,6 +121,9 @@ jobs:
           AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
   app-service-deploy-v2-dev:
+    permissions:
+      contents: read
+      id-token: write
     environment: Development
     needs: [build-and-test, terraform-plan-and-apply-dev, deploy-sql-database-dev]
     runs-on: ubuntu-latest
@@ -126,6 +140,9 @@ jobs:
           AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
   terraform-plan-and-apply-prd:
+    permissions:
+      contents: read
+      id-token: write
     environment: Production
     needs:
       - app-service-deploy-v1-dev
@@ -169,6 +186,9 @@ jobs:
       sql_database_name: ${{ steps.terraform-output-prd.outputs.sql_database_name }}
 
   deploy-sql-database-prd:
+    permissions:
+      contents: read
+      id-token: write
     environment: Production
     needs: terraform-plan-and-apply-prd
     runs-on: ubuntu-latest
@@ -187,6 +207,9 @@ jobs:
           AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
   app-service-deploy-v1-prd:
+    permissions:
+      contents: read
+      id-token: write
     environment: Production
     needs: [build-and-test, terraform-plan-and-apply-prd, deploy-sql-database-prd]
     runs-on: ubuntu-latest
@@ -203,6 +226,9 @@ jobs:
           AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
   app-service-deploy-v2-prd:
+    permissions:
+      contents: read
+      id-token: write
     environment: Production
     needs: [build-and-test, terraform-plan-and-apply-prd, deploy-sql-database-prd]
     runs-on: ubuntu-latest

@@ -5,12 +5,14 @@ on:
   #schedule:
   #  - cron: "50 0 * * *"
 
-permissions:
-  contents: read
-  id-token: write # This is required for Az CLI Login
 
+permissions: read-all
+
 jobs:
   terraform-destroy-dev:
+    permissions:
+      contents: read
+      id-token: write # This is required for Az CLI Login
     environment: Development
     runs-on: ubuntu-latest
 

@@ -12,12 +12,14 @@ on:
           - dev
           - prd
 
-permissions:
-  contents: read
-  id-token: write # This is required for Az CLI Login
 
+permissions: read-all
+
 jobs:
   terraform-destroy:
+    permissions:
+      contents: read
+      id-token: write # This is required for Az CLI Login
     environment: ${{ inputs.environment == 'prd' && 'Production' || 'Development' }}
     runs-on: ubuntu-latest
 

@@ -6,12 +6,14 @@ on:
     branches:
       - 'integration/**'
 
-permissions:
-  contents: read
-  id-token: write # This is required for Az CLI Login
 
+permissions: read-all
+
 jobs:
   terraform-get-outputs-dev:
+    permissions:
+      contents: read
+      id-token: write # This is required for Az CLI Login
     environment: Development
     runs-on: ubuntu-latest
 
@@ -63,6 +65,9 @@ jobs:
       api_audience: ${{ steps.terraform-output.outputs.api_audience }}
 
   run-api-integration-tests-dev:
+    permissions:
+      contents: read
+      id-token: write # This is required for Az CLI Login
     environment: Development
     runs-on: ubuntu-latest
     needs: [terraform-get-outputs-dev]