Skip to content

CI: add least-privilege permissions to GitHub Actions workflows#122

Open
peter-matkovski wants to merge 11 commits into
mainfrom
ci/workflow-least-privilege-permissions
Open

CI: add least-privilege permissions to GitHub Actions workflows#122
peter-matkovski wants to merge 11 commits into
mainfrom
ci/workflow-least-privilege-permissions

Conversation

@peter-matkovski

@peter-matkovski peter-matkovski commented Jul 8, 2026

Copy link
Copy Markdown

Summary

  • Add explicit least-privilege permissions blocks to workflow files flagged by CodeQL.
  • Scopes derived from workflow operations (build, artifacts, Danger, release git push).
  • Resolves 6 open actions/missing-workflow-permissions alerts.

Linear

Test plan

  • CI green
  • Code scanning alerts close after merge

Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
@peter-matkovski peter-matkovski temporarily deployed to feeds-enabled-shard July 8, 2026 11:27 — with GitHub Actions Inactive
@peter-matkovski peter-matkovski temporarily deployed to feeds-enabled-shard July 8, 2026 11:27 — with GitHub Actions Inactive
@peter-matkovski peter-matkovski temporarily deployed to feeds-enabled-shard July 8, 2026 11:27 — with GitHub Actions Inactive
@peter-matkovski peter-matkovski temporarily deployed to feeds-enabled-shard July 8, 2026 11:27 — with GitHub Actions Inactive
@peter-matkovski peter-matkovski temporarily deployed to feeds-enabled-shard July 8, 2026 11:27 — with GitHub Actions Inactive
@peter-matkovski peter-matkovski temporarily deployed to feeds-enabled-shard July 8, 2026 11:27 — with GitHub Actions Inactive
@peter-matkovski peter-matkovski self-assigned this Jul 8, 2026
@peter-matkovski peter-matkovski requested a review from a team July 9, 2026 09:37
@peter-matkovski peter-matkovski enabled auto-merge (squash) July 9, 2026 11:41
Comment thread .github/workflows/release.yml Outdated
Comment thread .github/workflows/reviewdog.yml Outdated
Comment thread .github/workflows/scheduled_test.yml Outdated
Co-authored-by: 🌵 Yun Wang <yun.wang@getstream.io>
Co-authored-by: 🌵 Yun Wang <yun.wang@getstream.io>
Co-authored-by: 🌵 Yun Wang <yun.wang@getstream.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants