From 9960f2502c8ad404bf6dbbe4a7d61b8f48cd43f2 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:30:48 +0200 Subject: [PATCH 1/7] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 69f9b372..07c21590 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + jobs: build: name: ๐Ÿงช Test & lint From f714a7f017020bcc23e4bb81bc5378d1e1391495 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:30:49 +0200 Subject: [PATCH 2/7] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/initiate_release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/initiate_release.yml b/.github/workflows/initiate_release.yml index 5fee524a..09ffaff2 100644 --- a/.github/workflows/initiate_release.yml +++ b/.github/workflows/initiate_release.yml @@ -7,6 +7,10 @@ on: description: "The new version number with 'v' prefix. Example: v1.40.1" required: true +permissions: + contents: write + pull-requests: write + jobs: init_release: name: ๐Ÿš€ Create release PR From 7733d5b738b6f46dd611968ecf0f9afe19db3d92 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:30:50 +0200 Subject: [PATCH 3/7] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d1b7c266..35657ddf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,10 @@ on: branches: - master +permissions: + contents: read + pull-requests: read + jobs: Release: name: ๐Ÿš€ Release From 485b30a5ec8ff813a47678a8a3eda71b0c30fc96 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:30:51 +0200 Subject: [PATCH 4/7] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/reviewdog.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index fc887632..a9c2dbef 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -6,6 +6,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + jobs: reviewdog: name: ๐Ÿถ Reviewdog From 7b25ffc599601561873de111dfdf938db80b7665 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:30:52 +0200 Subject: [PATCH 5/7] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/scheduled_test.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/scheduled_test.yml b/.github/workflows/scheduled_test.yml index 4b9e5a31..8b97e0be 100644 --- a/.github/workflows/scheduled_test.yml +++ b/.github/workflows/scheduled_test.yml @@ -6,6 +6,10 @@ on: # Monday at 9:00 UTC - cron: "0 9 * * 1" +permissions: + contents: read + pull-requests: write + jobs: test: runs-on: ubuntu-latest From b1baefe16c7d9f7d3025e4829a7c34c33ceb9034 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Tue, 14 Jul 2026 13:54:19 +0200 Subject: [PATCH 6/7] fix(ci): align workflow token permissions with actual operations --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 07c21590..50f0a587 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,7 +11,6 @@ concurrency: permissions: contents: read - pull-requests: read jobs: build: From 0cf3b93c9aadfe6d972d94f940ebdf4664eebd5a Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Tue, 14 Jul 2026 13:54:21 +0200 Subject: [PATCH 7/7] fix(ci): align workflow token permissions with actual operations --- .github/workflows/reviewdog.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index a9c2dbef..cafd0e26 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -8,7 +8,6 @@ concurrency: permissions: contents: read - pull-requests: read jobs: reviewdog: