From 4722b01c2761b7966a1e4b313789fb778b7bb533 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:23:54 +0200 Subject: [PATCH 1/3] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2967df8..c4a8705 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,6 +10,10 @@ concurrency: group: ${{ github.ref }} cancel-in-progress: true +permissions: + actions: write + contents: read + jobs: lint: name: ktlint From fc8436e1e9d3a1753f2cf83c4d9724b61d5edf28 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:23:55 +0200 Subject: [PATCH 2/3] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/pr-checks.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 189c9dd..10ca194 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -12,6 +12,11 @@ concurrency: group: ${{ github.head_ref }} cancel-in-progress: true +permissions: + actions: write + contents: read + pull-requests: read + jobs: lint: name: ktlint From d7596c7ef4f1b1586b081294c235c60ed2ff9fd6 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:23:56 +0200 Subject: [PATCH 3/3] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/publish-new-version.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/publish-new-version.yml b/.github/workflows/publish-new-version.yml index 7d14ae6..700fb4b 100644 --- a/.github/workflows/publish-new-version.yml +++ b/.github/workflows/publish-new-version.yml @@ -11,6 +11,9 @@ on: - minor - major +permissions: + contents: read + jobs: publish: uses: GetStream/android-ci-actions/.github/workflows/release-new-version.yml@v0.4