From 5b1b465eeccef2cf22e12e28054d2e6596c26e33 Mon Sep 17 00:00:00 2001 From: Lukas Harbarth Date: Fri, 15 May 2026 12:17:02 +0200 Subject: [PATCH 1/2] chore(ci): add explicit permissions to GitHub Actions workflows --- .github/workflows/build.yml | 2 ++ .github/workflows/chromatic.yml | 4 ++++ .github/workflows/examples.yml | 2 ++ .github/workflows/main.yml | 15 +++++++++++++++ .github/workflows/open-source-security.yml | 2 ++ .github/workflows/release-comments.yml | 3 +++ .github/workflows/release-custom-tag.yml | 2 ++ .github/workflows/release.yml | 4 ++++ .github/workflows/stale.yml | 3 +++ .github/workflows/test.yml | 4 ++++ 10 files changed, 41 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fd2ca6c1a91..5fee69be8f9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -2,6 +2,8 @@ name: 'Build w/ React18 & 19' on: workflow_call: +permissions: + contents: read jobs: build: diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml index 6a8240373dd..dcf85aedb2f 100644 --- a/.github/workflows/chromatic.yml +++ b/.github/workflows/chromatic.yml @@ -3,6 +3,10 @@ name: 'chromatic' on: push: workflow_dispatch: +permissions: + contents: read + pull-requests: write # Chromatic posts PR comments + statuses: write # Chromatic posts commit statuses jobs: chromatic: diff --git a/.github/workflows/examples.yml b/.github/workflows/examples.yml index 6f58087859f..9c25874ec37 100644 --- a/.github/workflows/examples.yml +++ b/.github/workflows/examples.yml @@ -13,6 +13,8 @@ on: - 'examples/**/*' - 'templates/**/*' - 'patterns/navigation-layout/**/*' +permissions: + contents: read jobs: examples: diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index db60c3dc575..2a43d6da070 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -17,6 +17,8 @@ on: jobs: reuse-compliance: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -26,6 +28,9 @@ jobs: check-bundle-size: if: ${{ github.base_ref == 'main' }} # only for PRs targeting main branch runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write # compressed-size-action posts PR comments steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -37,14 +42,22 @@ jobs: clean-script: 'clean:remove-modules' build: + permissions: + contents: read uses: './.github/workflows/build.yml' test: needs: ['build'] + permissions: + contents: read + pull-requests: write # coveralls posts coverage status + checks: write # coveralls creates check runs uses: './.github/workflows/test.yml' lint: runs-on: ubuntu-latest + permissions: + contents: read env: CYPRESS_INSTALL_BINARY: 0 steps: @@ -66,6 +79,8 @@ jobs: deploy-next-docs: needs: ['build'] runs-on: ubuntu-latest + permissions: + contents: write # pushes to gh-pages branch env: CYPRESS_INSTALL_BINARY: 0 steps: diff --git a/.github/workflows/open-source-security.yml b/.github/workflows/open-source-security.yml index c18ae2349a1..64a9a881fea 100644 --- a/.github/workflows/open-source-security.yml +++ b/.github/workflows/open-source-security.yml @@ -7,6 +7,8 @@ on: schedule: - cron: '12 3 * * *' workflow_dispatch: +permissions: + contents: read jobs: piper-oss: diff --git a/.github/workflows/release-comments.yml b/.github/workflows/release-comments.yml index 4da073d0617..cbcf04328ba 100644 --- a/.github/workflows/release-comments.yml +++ b/.github/workflows/release-comments.yml @@ -2,6 +2,9 @@ name: 'Issue Comments' on: workflow_dispatch: +# All write operations use secrets.ACCESS_TOKEN (PAT), not GITHUB_TOKEN +permissions: + contents: read jobs: issue-comment: diff --git a/.github/workflows/release-custom-tag.yml b/.github/workflows/release-custom-tag.yml index afa0f892c77..3dd19b5dee3 100644 --- a/.github/workflows/release-custom-tag.yml +++ b/.github/workflows/release-custom-tag.yml @@ -14,6 +14,8 @@ on: jobs: test: + permissions: + contents: read uses: './.github/workflows/test.yml' with: reportCoverage: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 57c47340e7b..308d0e2f16d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,11 +27,15 @@ on: jobs: build: if: ${{ github.event.inputs.publish_only != 'true' }} + permissions: + contents: read uses: './.github/workflows/build.yml' test: if: ${{ github.event.inputs.publish_only != 'true' }} needs: ['build'] + permissions: + contents: read uses: './.github/workflows/test.yml' with: reportCoverage: false diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 5aed5d22eb6..c004bc22358 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -3,6 +3,9 @@ name: Mark and close stale issues on: schedule: - cron: '30 1 * * *' +permissions: + issues: write # Label, comment, and close stale issues + pull-requests: write # Label, comment, and close stale PRs jobs: stale: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b65c4c8881e..a4bf4e3676c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -7,6 +7,10 @@ on: default: true type: boolean required: false +permissions: + contents: read + pull-requests: write # coveralls posts coverage status + checks: write # coveralls creates check runs jobs: mcp-server: From 251a3da82db5c20302e18b35066df6a2fc9b3039 Mon Sep 17 00:00:00 2001 From: Lukas Harbarth Date: Fri, 15 May 2026 12:24:56 +0200 Subject: [PATCH 2/2] [ci chromatic] --- examples/vite-ts/package.json | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/vite-ts/package.json b/examples/vite-ts/package.json index ca9df3f5f1c..e5cefdfd803 100644 --- a/examples/vite-ts/package.json +++ b/examples/vite-ts/package.json @@ -1,5 +1,6 @@ { "name": "vite-ts", + "description": "UI5 Web Components for React - Vite + TypeScript example", "private": true, "version": "0.0.0", "type": "module",