From e6a96ce6d15042a50a972bfe3cc123bdbe40cf70 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:29:36 +0200 Subject: [PATCH 1/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/cleanup.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml index 6864bd4..96882d6 100644 --- a/.github/workflows/cleanup.yml +++ b/.github/workflows/cleanup.yml @@ -10,6 +10,9 @@ on: - cron: "0 0 * * 0" workflow_dispatch: +permissions: + contents: read + jobs: cleanup: runs-on: ubuntu-latest From 5ddd3096cc5970d1bd575249884c831c31661398 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:29:37 +0200 Subject: [PATCH 2/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/pr-title-check.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pr-title-check.yml b/.github/workflows/pr-title-check.yml index e2a42f9..27a160f 100644 --- a/.github/workflows/pr-title-check.yml +++ b/.github/workflows/pr-title-check.yml @@ -4,6 +4,10 @@ on: pull_request: types: [opened, edited, synchronize, reopened] +permissions: + contents: read + pull-requests: read + jobs: lint: runs-on: ubuntu-latest From 2c94e1216ba170000f73efb6d499ece949e8abd9 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:29:38 +0200 Subject: [PATCH 3/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/test.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6e0a3dc..ad32a88 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,6 +12,10 @@ on: pull_request: types: [opened, synchronize, reopened] +permissions: + contents: read + pull-requests: read + jobs: lint: runs-on: ubuntu-latest From 69932fb83edcae1d9a0a12fc1b5f6b6f3f85306b Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 18:48:35 +0200 Subject: [PATCH 4/4] ci: fix workflow token permissions for CI checks --- .github/workflows/pr-title-check.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pr-title-check.yml b/.github/workflows/pr-title-check.yml index 27a160f..9fcfaf9 100644 --- a/.github/workflows/pr-title-check.yml +++ b/.github/workflows/pr-title-check.yml @@ -11,6 +11,8 @@ permissions: jobs: lint: runs-on: ubuntu-latest + permissions: + statuses: write steps: - uses: aslafy-z/conventional-pr-title-action@v3 env: