From 311be9ab8a229905bff986c7b682b1605cc15fd7 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:32:11 +0200 Subject: [PATCH 1/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5298451..6294083 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + jobs: test-build: name: 👷 Test & Build From d7b9c8654a911c79b5c4b2333f0622e2e07b0ca0 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:32:12 +0200 Subject: [PATCH 2/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/initiate_release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/initiate_release.yml b/.github/workflows/initiate_release.yml index 29c8229..ed62c16 100644 --- a/.github/workflows/initiate_release.yml +++ b/.github/workflows/initiate_release.yml @@ -7,6 +7,10 @@ on: description: "The new version number with 'v' prefix. Example: v1.40.1" required: true +permissions: + contents: write + pull-requests: write + jobs: init_release: name: 🚀 Create release PR From 1208ea26fd6a6c0474a2992a044d185d18b50fce Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:32:13 +0200 Subject: [PATCH 3/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fd0a06e..4c75ba1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,10 @@ on: branches: - main +permissions: + contents: read + pull-requests: read + jobs: Release: name: 🚀 Release From 28a4d5d585d9fc0591475087b24747a3e031a716 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:32:14 +0200 Subject: [PATCH 4/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/reviewdog.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index 6bbf739..d8a359b 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -6,6 +6,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + jobs: reviewdog: name: 🐶 Reviewdog