From 111e0d69555c9ae8fb7f92029d9981ec3078f135 Mon Sep 17 00:00:00 2001
From: Thomas Pedley <Thomas.Pedley1@nhs.net>
Date: Mon, 1 Jun 2026 14:30:09 +0100
Subject: [PATCH] NHSO-0000: Fix code scan issues.

---
 .github/workflows/continuous-integration.yml | 4 +++-
 .github/workflows/pr-lint.yaml               | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index c57a46d..1a67efd 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -1,6 +1,8 @@
 name: Build
 
 on: push
+permissions:
+  contents: read
 
 jobs:
   build:
@@ -33,7 +35,7 @@ jobs:
         run: python -m pip install --upgrade pip setuptools wheel
 
       - name: Install poetry
-        run: pip install "poetry<2.0.0"
+        run: pip install --only-binary :all: "poetry==1.8.4"
 
       - name: Cache poetry packages
         uses: actions/cache@v3
diff --git a/.github/workflows/pr-lint.yaml b/.github/workflows/pr-lint.yaml
index 204bc2e..3f3644d 100644
--- a/.github/workflows/pr-lint.yaml
+++ b/.github/workflows/pr-lint.yaml
@@ -1,5 +1,8 @@
 name: PR Quality Check
 on: pull_request
+permissions:
+  contents: read
+  pull-requests: write
 jobs:
   link-ticket:
     runs-on: ubuntu-latest