From 6c7581ea6ce6265e90c8e31b615fc26a2dc2d208 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:36:10 +0200 Subject: [PATCH 1/2] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/pr-checks.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 33fa9e9..e7fcc16 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -2,6 +2,10 @@ name: Pull request CI checks on: [pull_request] +permissions: + contents: read + pull-requests: read + jobs: lint: name: Spotless check From 4d675c93edc6809cefcea8b85fe3c9269dafb16c Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Tue, 14 Jul 2026 13:54:13 +0200 Subject: [PATCH 2/2] fix(ci): align workflow token permissions with actual operations --- .github/workflows/pr-checks.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index e7fcc16..d850cc5 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -4,7 +4,6 @@ on: [pull_request] permissions: contents: read - pull-requests: read jobs: lint: