From d6822272b76302f8d7ee4f835c2f12f054aa46be Mon Sep 17 00:00:00 2001
From: Sean Arms <67096+lesserwhirls@users.noreply.github.com>
Date: Fri, 13 Mar 2026 08:52:34 -0600
Subject: [PATCH 1/2] Add explicit permissions for GitHub workflows

---
 .github/workflows/deps.yml                    | 6 +++++-
 .github/workflows/docs-tutorials.yml          | 3 +++
 .github/workflows/docs.yml                    | 3 +++
 .github/workflows/libaec.yml                  | 3 +++
 .github/workflows/libblosc2.yml               | 3 +++
 .github/workflows/style.yml                   | 6 +++++-
 .github/workflows/test-native-compression.yml | 3 +++
 .github/workflows/tests.yml                   | 6 +++++-
 8 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/deps.yml b/.github/workflows/deps.yml
index cba6596dd1..0ebd0b1527 100644
--- a/.github/workflows/deps.yml
+++ b/.github/workflows/deps.yml
@@ -1,4 +1,8 @@
-on: [pull_request]
+on:
+  pull_request:
+
+permissions:
+  contents: read
 
 jobs:
   check-dependency-availability:
diff --git a/.github/workflows/docs-tutorials.yml b/.github/workflows/docs-tutorials.yml
index 26d6d661c0..4bea37c4ab 100644
--- a/.github/workflows/docs-tutorials.yml
+++ b/.github/workflows/docs-tutorials.yml
@@ -1,6 +1,9 @@
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   check-doc-build:
     name: netCDF-Java Documentation Code Deprecation Check
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 5ce3156c5a..9d70484f5e 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -5,6 +5,9 @@ on:
       - 'docs/build.gradle'
       - 'gradle/**'
 
+permissions:
+  contents: read
+
 jobs:
   check-doc-build:
     name: netCDF-Java Documentation Build Check
diff --git a/.github/workflows/libaec.yml b/.github/workflows/libaec.yml
index faf8108f7f..48134aee59 100644
--- a/.github/workflows/libaec.yml
+++ b/.github/workflows/libaec.yml
@@ -13,6 +13,9 @@ name: libaec build using CMake on multiple platforms
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/libblosc2.yml b/.github/workflows/libblosc2.yml
index f9ffbbf959..29d4aa86d0 100644
--- a/.github/workflows/libblosc2.yml
+++ b/.github/workflows/libblosc2.yml
@@ -3,6 +3,9 @@ name: C-Blosc2 build using CMake on multiple platforms
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml
index c1caa4bf88..3bd894d8ef 100644
--- a/.github/workflows/style.yml
+++ b/.github/workflows/style.yml
@@ -1,4 +1,8 @@
-on: [pull_request]
+on:
+  pull_request:
+
+permissions:
+  contents: read
 
 jobs:
   check-style:
diff --git a/.github/workflows/test-native-compression.yml b/.github/workflows/test-native-compression.yml
index 58efe262af..7ce8f63f73 100644
--- a/.github/workflows/test-native-compression.yml
+++ b/.github/workflows/test-native-compression.yml
@@ -7,6 +7,9 @@ on:
       - 'native-compression/build.gradle'
       - '.github/workflows/test-native-compression.yml'
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     strategy:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 716e2f6dd1..22514edb45 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,4 +1,8 @@
-on: [pull_request]
+on:
+  pull_request:
+
+permissions:
+  contents: read
 
 jobs:
   netcdf-java-tests:

From b6fa7e04bac06b2342e77e02827ff6323ea1c4a2 Mon Sep 17 00:00:00 2001
From: Sean Arms <67096+lesserwhirls@users.noreply.github.com>
Date: Fri, 13 Mar 2026 08:52:48 -0600
Subject: [PATCH 2/2] Update CODEOWNERS

---
 .github/CODEOWNERS | 27 ++++++---------------------
 1 file changed, 6 insertions(+), 21 deletions(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 5aaa687e38..d1e7fa699f 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,19 +1,6 @@
-# This is a comment.
-# Each line is a file pattern followed by one or more owners.
-
-# These owners will be the default owners for everything in the repo.
-# Unless a later match takes precedence, @global-owner1 and @global-owner2
-# will be requested for review when someone opens a pull request.
-# *       @global-owner1 @global-owner2
-
-# Order is important; the last matching pattern takes the most precedence.
-# When someone opens a pull request that only modifies JS files, only @js-owner
-# and not the global owner(s) will be requested for a review.
-# *.js    @js-owner
-
-# You can also use email addresses if you prefer. They'll be used to look up
-# users just like we do for commit author emails.
-# docs/*  docs@example.com
+####################
+# Global  defaults #
+####################
 
 * @lesserwhirls
 
@@ -21,8 +8,7 @@
 # top level modules #
 #####################
 
-httpservices/** @DennisHeimbigner @lesserwhirls
-netcdf4/** @DennisHeimbigner @lesserwhirls
+# None at this time
 
 ###########################################
 # classpath / not module specific matches #
@@ -30,9 +16,6 @@ netcdf4/** @DennisHeimbigner @lesserwhirls
 
 **/iosp/nids/** @dopplershift @lesserwhirls
 
-**/opendap/** @DennisHeimbigner @lesserwhirls
-**/dap4/** @DennisHeimbigner @lesserwhirls
-
 ######################
 # general file types #
 ######################
@@ -43,3 +26,5 @@ netcdf4/** @DennisHeimbigner @lesserwhirls
 ####################
 # individual files #
 ####################
+
+# None at this time
\ No newline at end of file