From 79678cf984c6415eba952d4835bc4f936f9757da Mon Sep 17 00:00:00 2001
From: toluo-stripe <toluo@stripe.com>
Date: Mon, 20 Oct 2025 17:31:57 -0400
Subject: [PATCH 1/2] fix: add explicit permissions to generate-docs workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolves CWE-276 security alert by adding explicit permissions block with contents: read. This follows the principle of least privilege for GitHub Actions workflows.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Committed-By-Agent: claude
---
 .github/workflows/generate-docs.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/generate-docs.yml b/.github/workflows/generate-docs.yml
index 21901753eb..cef446b6e9 100644
--- a/.github/workflows/generate-docs.yml
+++ b/.github/workflows/generate-docs.yml
@@ -8,6 +8,8 @@ jobs:
   generate-docs:
     name: generate-docs
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - name: checkout
         uses: actions/checkout@v4

From 2bd97b58d3a437a23d9896a9e94e9f280d40ee6d Mon Sep 17 00:00:00 2001
From: toluo-stripe <toluo@stripe.com>
Date: Fri, 24 Oct 2025 01:29:08 -0400
Subject: [PATCH 2/2] Add workflow trigger

---
 .github/workflows/generate-docs.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/generate-docs.yml b/.github/workflows/generate-docs.yml
index cef446b6e9..1f7441e00f 100644
--- a/.github/workflows/generate-docs.yml
+++ b/.github/workflows/generate-docs.yml
@@ -3,6 +3,7 @@ name: Generate docs
 on:
   push:
     branches: [master]
+  workflow_dispatch:
 
 jobs:
   generate-docs: