4 files changed, 17 insertions, 2 deletions

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 225e2ef..bf5c04c 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -31,6 +31,7 @@ jobs:
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2
         with:
+          config-file: ./.github/codeql/codeql-config.yml
           languages: "javascript"
           queries: +security-and-quality
 
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index f87c1ca..4e9a939 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -46,6 +46,8 @@ jobs:
   publish:
     needs: deploy
     runs-on: ubuntu-latest
+    if: github.repository == 'twbs/icons'
+
     steps:
       - name: Clone repository
         uses: actions/checkout@v3
diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml
index babe51a..c92b0b1 100644
--- a/.github/workflows/release-notes.yml
+++ b/.github/workflows/release-notes.yml
@@ -6,9 +6,17 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
+    permissions:
+      # allow release-drafter/release-drafter to create GitHub releases and add labels to PRs
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
+    if: github.repository == 'twbs/icons'
     steps:
       - uses: release-drafter/release-drafter@v5
         env:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 94ca588..493a4df 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -2,8 +2,9 @@ name: Tests
 
 on:
   push:
-    branches-ignore:
-      - "dependabot/**"
+    branches:
+      - main
+      - "!dependabot/**"
   pull_request:
   workflow_dispatch:
 
@@ -11,6 +12,9 @@ env:
   FORCE_COLOR: 2
   NODE: 18
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest