From 4e86a1eaab5f9fcd94616549d2503d7e0ea962bc Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:30:57 +0200 Subject: [PATCH 1/2] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 108ec0f..db033bf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,6 +10,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + jobs: unit: name: Unit Tests & Code Quality From 3464ff6ae885d592007bfa04ddda433b81245c0f Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Tue, 14 Jul 2026 13:53:58 +0200 Subject: [PATCH 2/2] fix(ci): align workflow token permissions with actual operations --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index db033bf..6f7d0ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,7 +12,6 @@ concurrency: permissions: contents: read - pull-requests: read jobs: unit: