From c488fa0b92bf8a5c7c27eba38c25d99ca99ef46b Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Fri, 22 May 2026 00:52:38 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/codecov-scan.yaml | 5 ++++-
 .github/workflows/cx-one-scan.yaml  | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/codecov-scan.yaml b/.github/workflows/codecov-scan.yaml
index b17b845..67ef2c6 100644
--- a/.github/workflows/codecov-scan.yaml
+++ b/.github/workflows/codecov-scan.yaml
@@ -8,9 +8,12 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   run:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
 
     steps:
     - name: Checkout code
diff --git a/.github/workflows/cx-one-scan.yaml b/.github/workflows/cx-one-scan.yaml
index 8db81f2..ee06828 100644
--- a/.github/workflows/cx-one-scan.yaml
+++ b/.github/workflows/cx-one-scan.yaml
@@ -12,7 +12,7 @@ on:
 jobs:
   cx-one-scan:
     name: cx-one-scan
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2