From df68ba20cb740f1e7fa1227a6927dd0f2eb5db0d Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:39:49 +0200 Subject: [PATCH 1/2] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/ci.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 383065a..a622f7c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,6 +11,11 @@ on: types: - created +permissions: + actions: write + contents: read + pull-requests: read + jobs: build-and-test: runs-on: macos-latest From bea25ebce68c459b5a95fb1631e140780236a3e2 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Fri, 10 Jul 2026 14:47:27 +0200 Subject: [PATCH 2/2] CI: upgrade actions/cache from v2 to v4 GitHub now auto-fails workflows using deprecated actions/cache v1/v2. The existing actions: write permission already satisfies cache v4 requirements. --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a622f7c..e224459 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@v1 - name: Cache dependencies - uses: actions/cache@v1.1.0 + uses: actions/cache@v4.1.0 id: carthage-cache with: path: Carthage