From 755c3daf74f1ed0404acdecb3bff6f7f717f6cbe Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:31:04 +0200 Subject: [PATCH 1/5] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9e8519b4..1abe3a98 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + jobs: ci: name: ๐Ÿงช Test & lint From 19e5e45e9882b485887b62cb9f43573ee5821577 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:31:05 +0200 Subject: [PATCH 2/5] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/initiate_release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/initiate_release.yml b/.github/workflows/initiate_release.yml index f78e7ea8..6db25a8a 100644 --- a/.github/workflows/initiate_release.yml +++ b/.github/workflows/initiate_release.yml @@ -9,6 +9,10 @@ on: type: string pattern: "^[0-9]+\\.[0-9]+\\.[0-9]+$" +permissions: + contents: write + pull-requests: write + jobs: init_release: name: ๐Ÿš€ Create release PR From 6c9ba6b9009039b9f8242144f4fa26d0c527c801 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:31:06 +0200 Subject: [PATCH 3/5] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6d763e1c..c3c52389 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,10 @@ on: branches: - main +permissions: + contents: read + pull-requests: read + jobs: Release: name: ๐Ÿš€ Release From 20acf5241cbdd6c060b690ace143bcf89b6fffc2 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:31:07 +0200 Subject: [PATCH 4/5] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/scheduled_test.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/scheduled_test.yml b/.github/workflows/scheduled_test.yml index 0a27ebc5..ce60398a 100644 --- a/.github/workflows/scheduled_test.yml +++ b/.github/workflows/scheduled_test.yml @@ -6,6 +6,10 @@ on: # Monday at 9:00 UTC - cron: "0 9 * * 1" +permissions: + contents: read + pull-requests: write + jobs: test: environment: ci From 59c170648ba257deb1d8b5bb4ad6c671a33b3922 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Tue, 14 Jul 2026 13:54:00 +0200 Subject: [PATCH 5/5] fix(ci): align workflow token permissions with actual operations --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1abe3a98..58c23f50 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,6 @@ concurrency: permissions: contents: read - pull-requests: read jobs: ci: