From 199db03b0bd9b3ee8c84a19b41dd8edb6c495751 Mon Sep 17 00:00:00 2001
From: Rune Johansen <runejo@gmail.com>
Date: Fri, 16 May 2025 15:17:56 +0200
Subject: [PATCH 1/3] ci: set minimal workflow permissions

---
 .github/workflows/msbuild.yml    | 4 +++-
 .github/workflows/sonarcloud.yml | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/msbuild.yml b/.github/workflows/msbuild.yml
index 0e50e7c3..8565af30 100644
--- a/.github/workflows/msbuild.yml
+++ b/.github/workflows/msbuild.yml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -55,4 +58,3 @@ jobs:
           context: .
           load: true
           tags: pxwebapi:${{ github.sha }}
-
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index ddfecca5..bbf4964a 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

From 72d0fceea9ec9c48f096d16674757f9c7a7d8cfd Mon Sep 17 00:00:00 2001
From: Rune Johansen <runejo@gmail.com>
Date: Fri, 16 May 2025 15:19:44 +0200
Subject: [PATCH 2/3] build: bump alpine linux to 3.21

---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index c12c4beb..8fbdab61 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # Learn about building .NET container images:
 # https://github.com/dotnet/dotnet-docker/blob/main/samples/README.md
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0.408-alpine3.20 AS build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0.408-alpine3.21 AS build
 ARG TARGETARCH
 WORKDIR /source
 
@@ -15,7 +15,7 @@ RUN \
 # Enable globalization and time zones:
 # https://github.com/dotnet/dotnet-docker/blob/main/samples/enable-globalization.md
 # final stage/image
-FROM mcr.microsoft.com/dotnet/aspnet:8.0.15-alpine3.20
+FROM mcr.microsoft.com/dotnet/aspnet:8.0.15-alpine3.21
 EXPOSE 8080
 
 ENV \

From 8538509db20c0a864923806b6263a3ed84d34b86 Mon Sep 17 00:00:00 2001
From: Rune Johansen <runejo@gmail.com>
Date: Fri, 16 May 2025 15:21:44 +0200
Subject: [PATCH 3/3] build: Bump System.IO.Packaging from 4.7.0 to 8.0.1

Fixes security warning on Nais platform
---
 PxWeb/PxWeb.csproj | 1 +
 1 file changed, 1 insertion(+)

diff --git a/PxWeb/PxWeb.csproj b/PxWeb/PxWeb.csproj
index 97f7d820..8c34195a 100644
--- a/PxWeb/PxWeb.csproj
+++ b/PxWeb/PxWeb.csproj
@@ -55,6 +55,7 @@
     <PackageReference Include="Swashbuckle.AspNetCore.Newtonsoft" Version="8.1.1" />
     <PackageReference Include="Swashbuckle.AspNetCore.SwaggerGen" Version="8.1.1" />
     <PackageReference Include="Swashbuckle.AspNetCore.SwaggerUI" Version="8.1.1" />
+    <PackageReference Include="System.IO.Packaging" Version="8.0.1" />
     <PackageReference Include="System.Net.Http" Version="4.3.4" />
     <PackageReference Include="System.Security.Cryptography.Pkcs" Version="8.0.1" />
     <PackageReference Include="System.Text.Encoding.CodePages" Version="8.0.0" />