From 954b182d60ed6561ec6576293195fdba17de7abb Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:31:50 +0200 Subject: [PATCH 1/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/ci.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index cf3000a..6243201 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -9,6 +9,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + jobs: test-build: name: 👷 Test & Build From 42670b5c3a28f3c7beb8f0f7f79ba387d3cf11ca Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:31:51 +0200 Subject: [PATCH 2/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/initiate_release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/initiate_release.yml b/.github/workflows/initiate_release.yml index 6dc7b49..3c8aa06 100644 --- a/.github/workflows/initiate_release.yml +++ b/.github/workflows/initiate_release.yml @@ -7,6 +7,10 @@ on: description: "The new version number with 'v' prefix. Example: v1.40.1" required: true +permissions: + contents: write + pull-requests: write + jobs: init_release: name: 🚀 Create release PR From 2d60050302b582e749474d9b8750048e327be44b Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:31:52 +0200 Subject: [PATCH 3/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/lint.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index b7370e5..5d76fb6 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -6,6 +6,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + jobs: lint: name: 👮 Lint From 35a3bda96bfa69c391d9ceaef1bb3635477844f8 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:31:53 +0200 Subject: [PATCH 4/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/reviewdog.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/reviewdog.yaml b/.github/workflows/reviewdog.yaml index 255573f..229f8e7 100644 --- a/.github/workflows/reviewdog.yaml +++ b/.github/workflows/reviewdog.yaml @@ -6,6 +6,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + jobs: reviewdog: name: 🐶 Reviewdog