From b77252d394877c9937c6d0e3310d073abe66e79e Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:24:41 +0200 Subject: [PATCH 1/9] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/beta_version_analyze.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/beta_version_analyze.yml b/.github/workflows/beta_version_analyze.yml index 9fe69aefc..bfc2d3b20 100644 --- a/.github/workflows/beta_version_analyze.yml +++ b/.github/workflows/beta_version_analyze.yml @@ -6,6 +6,9 @@ on: - cron: '0 2 * * 1' workflow_dispatch: +permissions: + contents: read + jobs: # Does a sanity check on packages for the next beta version so we are not surprised by any breaking changes. analyze_beta_versions: From 170c6541457f60c454fcb0d9b51877d9b231cedf Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:24:42 +0200 Subject: [PATCH 2/9] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/distribute_external.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/distribute_external.yml b/.github/workflows/distribute_external.yml index 744735b1f..3e969e84d 100644 --- a/.github/workflows/distribute_external.yml +++ b/.github/workflows/distribute_external.yml @@ -22,6 +22,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: determine_platforms: runs-on: ubuntu-latest From 0bd7c2865f6fbfff6a73ea07a4ea6dfd0e78c6a0 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:24:43 +0200 Subject: [PATCH 3/9] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/distribute_internal.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/distribute_internal.yml b/.github/workflows/distribute_internal.yml index fda1a66bf..f522af2dc 100644 --- a/.github/workflows/distribute_internal.yml +++ b/.github/workflows/distribute_internal.yml @@ -25,6 +25,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: determine_platforms: runs-on: ubuntu-latest From 8b5e0f511bcaf8457c5b46fd14a5085794cb4d62 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:24:44 +0200 Subject: [PATCH 4/9] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/legacy_version_analyze.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/legacy_version_analyze.yml b/.github/workflows/legacy_version_analyze.yml index addcce903..9eb316975 100644 --- a/.github/workflows/legacy_version_analyze.yml +++ b/.github/workflows/legacy_version_analyze.yml @@ -17,6 +17,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + jobs: # Centralizes every gating decision for this workflow — path filter, draft # state, and push-vs-PR semantics. Downstream jobs only need a single From e3fae8fb01d65fb8c968693db306933b9ce7a9b7 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:24:46 +0200 Subject: [PATCH 5/9] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/pana.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pana.yml b/.github/workflows/pana.yml index 939b8ec3a..5b614782f 100644 --- a/.github/workflows/pana.yml +++ b/.github/workflows/pana.yml @@ -12,6 +12,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + jobs: stream_chat: runs-on: ubuntu-latest From 2be6b0d5756b593cd2b684dbf89d939557f7152c Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:24:47 +0200 Subject: [PATCH 6/9] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/pr_title.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pr_title.yml b/.github/workflows/pr_title.yml index 670abd70f..2f129ad0a 100644 --- a/.github/workflows/pr_title.yml +++ b/.github/workflows/pr_title.yml @@ -13,6 +13,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + jobs: conventional_pr_title: runs-on: ubuntu-latest From d23277d5ed8d3d6c76a686047809117a0d592084 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:24:47 +0200 Subject: [PATCH 7/9] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/stream_flutter_workflow.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/stream_flutter_workflow.yml b/.github/workflows/stream_flutter_workflow.yml index 83f131753..5877a89f1 100644 --- a/.github/workflows/stream_flutter_workflow.yml +++ b/.github/workflows/stream_flutter_workflow.yml @@ -19,6 +19,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + jobs: # Centralizes every gating decision for this workflow — path filter, # draft state, and push-vs-PR semantics. Downstream jobs only need a From 49c08214ed774d8454076db45b9d6914e19f4965 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:24:48 +0200 Subject: [PATCH 8/9] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/update_goldens.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/update_goldens.yml b/.github/workflows/update_goldens.yml index 122f4f4ef..c2e4a0a55 100644 --- a/.github/workflows/update_goldens.yml +++ b/.github/workflows/update_goldens.yml @@ -13,6 +13,10 @@ on: - sdk - docs +permissions: + actions: write + contents: read + jobs: update_sdk_goldens: if: inputs.target == 'sdk' || inputs.target == 'both' From a6ac9fc417a2baa01dd9719a68f1925a3957aacf Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 17:31:04 +0200 Subject: [PATCH 9/9] ci: address CodeRabbit review feedback and fix workflow YAML --- .github/workflows/update_goldens.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/update_goldens.yml b/.github/workflows/update_goldens.yml index c2e4a0a55..148397e2d 100644 --- a/.github/workflows/update_goldens.yml +++ b/.github/workflows/update_goldens.yml @@ -14,8 +14,7 @@ on: - docs permissions: - actions: write - contents: read + contents: write jobs: update_sdk_goldens: