From 2491dd513c2bbbc136e33b41043c7b60aa407ca9 Mon Sep 17 00:00:00 2001
From: Niels van Velzen <git@ndat.nl>
Date: Fri, 5 Nov 2021 22:12:43 +0100
Subject: [PATCH 1/2] Specify repository info in openapi head checkout

---
 .github/workflows/openapi.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml
index b81875d2c8..798ce5898a 100644
--- a/.github/workflows/openapi.yml
+++ b/.github/workflows/openapi.yml
@@ -13,7 +13,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
         with:
-          ref: ${{ github.head_ref }}
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
       - name: Setup .NET Core
         uses: actions/setup-dotnet@v1
         with:

From 07b9ba2bb4aadfea7c177df8e747b3e79409d8af Mon Sep 17 00:00:00 2001
From: Niels van Velzen <git@ndat.nl>
Date: Fri, 5 Nov 2021 22:43:09 +0100
Subject: [PATCH 2/2] Set GITHUB_TOKEN permissions to read only in OpenAPI
 workflow

---
 .github/workflows/openapi.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml
index 798ce5898a..ea9188f1b1 100644
--- a/.github/workflows/openapi.yml
+++ b/.github/workflows/openapi.yml
@@ -9,6 +9,7 @@ jobs:
   openapi-head:
     name: OpenAPI - HEAD
     runs-on: ubuntu-latest
+    permissions: read-all
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
@@ -34,6 +35,7 @@ jobs:
     name: OpenAPI - BASE
     if: ${{ github.base_ref != '' }}
     runs-on: ubuntu-latest
+    permissions: read-all
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2