From ec73900a71637984a801b93222f369e238f4d714 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:32:40 +0200 Subject: [PATCH 1/6] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 94e6532..c277391 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + jobs: build: runs-on: ubuntu-latest From c723f2c41bb8b734229dae0e117f1a0bf73fe9ab Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:32:41 +0200 Subject: [PATCH 2/6] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/initiate_release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/initiate_release.yml b/.github/workflows/initiate_release.yml index c027b01..8f8e82d 100644 --- a/.github/workflows/initiate_release.yml +++ b/.github/workflows/initiate_release.yml @@ -7,6 +7,10 @@ on: description: "The new version number with 'v' prefix. Example: v1.40.1" required: true +permissions: + contents: write + pull-requests: write + jobs: init_release: name: 🚀 Create release PR From 6111ed8d98372b099baf4dbdedaae40ad7167cc6 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:32:42 +0200 Subject: [PATCH 3/6] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 39111fc..4eba784 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,6 +7,10 @@ on: - master - main +permissions: + contents: read + pull-requests: read + jobs: Release: name: 🚀 Release From 8601e9415b00ed3b9201a6114f4d20e3766c122c Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:32:43 +0200 Subject: [PATCH 4/6] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/reviewdog.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index 82dfffc..7a8007c 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -6,6 +6,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + jobs: rubocop: name: 🐶 Reviewdog From 8eaaf9f433478cfdc5d11852f98c789989532be9 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Tue, 14 Jul 2026 13:54:28 +0200 Subject: [PATCH 5/6] fix(ci): align workflow token permissions with actual operations --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c277391..af2bb39 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,6 @@ concurrency: permissions: contents: read - pull-requests: read jobs: build: From cce1f0b13c5636bf9b2f5e3dd64abcb03f549148 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Tue, 14 Jul 2026 13:54:29 +0200 Subject: [PATCH 6/6] fix(ci): align workflow token permissions with actual operations --- .github/workflows/reviewdog.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index 7a8007c..f2e592d 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -8,7 +8,6 @@ concurrency: permissions: contents: read - pull-requests: read jobs: rubocop: