From 3ae5ad12f30a4a1df7901ece00791d1fa5ee4757 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 22 Jul 2025 04:08:54 +0000
Subject: [PATCH 1/4] Bump nokogiri from 1.18.8 to 1.18.9 in /docs

Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.18.8 to 1.18.9.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.18.8...v1.18.9)

---
updated-dependencies:
- dependency-name: nokogiri
  dependency-version: 1.18.9
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 docs/Gemfile.lock | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock
index acd6a24..8603fca 100644
--- a/docs/Gemfile.lock
+++ b/docs/Gemfile.lock
@@ -210,9 +210,9 @@ GEM
       jekyll-feed (~> 0.9)
       jekyll-seo-tag (~> 2.1)
     minitest (5.25.1)
-    nokogiri (1.18.8-arm64-darwin)
+    nokogiri (1.18.9-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.8-x86_64-linux-gnu)
+    nokogiri (1.18.9-x86_64-linux-gnu)
       racc (~> 1.4)
     octokit (4.25.1)
       faraday (>= 1, < 3)

From 653ece96c73cccc9c6ac21388259fc60a6426adb Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 23 Dec 2025 14:38:50 +0000
Subject: [PATCH 2/4] Bump rexml from 3.3.9 to 3.4.2 in /docs

Bumps [rexml](https://github.com/ruby/rexml) from 3.3.9 to 3.4.2.
- [Release notes](https://github.com/ruby/rexml/releases)
- [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md)
- [Commits](https://github.com/ruby/rexml/compare/v3.3.9...v3.4.2)

---
updated-dependencies:
- dependency-name: rexml
  dependency-version: 3.4.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 docs/Gemfile.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock
index 8603fca..bec29bd 100644
--- a/docs/Gemfile.lock
+++ b/docs/Gemfile.lock
@@ -224,7 +224,7 @@ GEM
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
-    rexml (3.3.9)
+    rexml (3.4.2)
     rouge (3.26.0)
     ruby2_keywords (0.0.5)
     rubyzip (2.3.2)

From ddd3f8145fa65d859fb5b231a218112ebda63edd Mon Sep 17 00:00:00 2001
From: Rob Rudin <rudin@progress.com>
Date: Fri, 23 Jan 2026 09:54:05 -0500
Subject: [PATCH 3/4] MLE-26598 Bumped to 1.3.1

---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index cfed115..a8a0a29 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "marklogic-python-client"
-version = "1.3.0"
+version = "1.3.1"
 description = "Python client for MarkLogic, built on the requests library"
 authors = ["MarkLogic <general@developer.marklogic.com>"]
 readme = "README.md"

From 53013fb1bc1a194af7dd43bf81eae32ae9de4fcf Mon Sep 17 00:00:00 2001
From: GAdityaVarma <agottumu@progress.com>
Date: Wed, 8 Apr 2026 19:26:11 +0530
Subject: [PATCH 4/4] SECCMP-1797: Add top-level permissions to restrict
 default token

Adds explicit top-level permissions: contents: read to limit the
default GITHUB_TOKEN scope for all jobs. Individual jobs that need
write access (copyright-validation) already declare their own
permissions block which overrides the default.

This follows the principle of least privilege recommended in
GitHub's PwnRequest security guidance.
---
 .github/workflows/pr-workflow.yaml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pr-workflow.yaml b/.github/workflows/pr-workflow.yaml
index 9165227..c0275b1 100644
--- a/.github/workflows/pr-workflow.yaml
+++ b/.github/workflows/pr-workflow.yaml
@@ -1,18 +1,17 @@
 name: PR Workflow
 
 on:
-  # Using pull_request_target instead of pull_request to handle PRs from forks
   pull_request_target:
     types: [opened, edited, reopened, synchronize]
-    # No branch filtering - will run on all PRs
+
+permissions:
+  contents: read
 
 jobs:
   jira-pr-check:
     name: 🏷️ Validate JIRA ticket ID
-    # Use the reusable workflow from the central repository
     uses: marklogic/pr-workflows/.github/workflows/jira-id-check.yml@main
     with:
-      # Pass the PR title from the event context
       pr-title: ${{ github.event.pull_request.title }}
   copyright-validation:
     name: © Validate Copyright Headers