From 4d8812a3c00981428863680d7cdf9da5b8090c5b Mon Sep 17 00:00:00 2001
From: Ankitsinghsisodya <ankitsingh24012005@gmail.com>
Date: Sat, 28 Mar 2026 01:31:46 +0530
Subject: [PATCH 1/2] ci: fix test-e2e-podman to use matrix.os instead of
 hardcoded runner

The job defines a matrix with ubuntu-latest (x86_64) and
ubuntu-24.04-arm (ARM64) but runs-on was hardcoded to ubuntu-latest,
so both matrix entries ran on x86_64. Use the matrix value so ARM64
tests actually run on ARM hardware.

Fixes knative/func#3537
---
 .github/workflows/functions.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/functions.yaml b/.github/workflows/functions.yaml
index 7a5b0f5857..ee24d1a194 100644
--- a/.github/workflows/functions.yaml
+++ b/.github/workflows/functions.yaml
@@ -247,12 +247,12 @@ jobs:
   test-e2e-podman:
     name: E2E - Podman
     needs: precheck
-    runs-on: ubuntu-latest
     strategy:
       matrix:
         os:
           - "ubuntu-latest" # x86_64
           - "ubuntu-24.04-arm" # ARM64
+    runs-on: ${{ matrix.os }}
     env:
       FUNC_CLUSTER_RETRIES: 5
       FUNC_E2E_PODMAN: true

From d43e1679337be94b3e487dd7d84446fb5c197621 Mon Sep 17 00:00:00 2001
From: Ankitsinghsisodya <ankitsingh24012005@gmail.com>
Date: Sat, 28 Mar 2026 01:56:21 +0530
Subject: [PATCH 2/2] ci: add top-level permissions for least-privilege
 security

Add `permissions: contents: read` to the test-podman-next workflow
to restrict the default GITHUB_TOKEN to read-only access.

Fixes #3539
---
 .github/workflows/test-podman-next.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/test-podman-next.yaml b/.github/workflows/test-podman-next.yaml
index 8a786f528c..b40b62f650 100644
--- a/.github/workflows/test-podman-next.yaml
+++ b/.github/workflows/test-podman-next.yaml
@@ -1,5 +1,8 @@
 name: Func Podman Next Test
 
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: '0 2 * * *'