From 03e6faa9814dd225ab91308f20231f0fa9deb837 Mon Sep 17 00:00:00 2001
From: Sean Budd <sean@nvaccess.org>
Date: Tue, 16 Jun 2026 15:16:09 +1000
Subject: [PATCH 1/3] add explicit perms to CI/CD

---
 .github/workflows/testAndPublish.yml | 32 +++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/testAndPublish.yml b/.github/workflows/testAndPublish.yml
index 54717011518..fb63a91619c 100644
--- a/.github/workflows/testAndPublish.yml
+++ b/.github/workflows/testAndPublish.yml
@@ -60,6 +60,9 @@ jobs:
     needs: matrix
     runs-on: ${{ needs.matrix.outputs.defaultRunner }}
     timeout-minutes: 30
+    permissions:
+      contents: read
+      actions: write
     strategy:
       fail-fast: false
       matrix:
@@ -150,6 +153,8 @@ jobs:
     name: Check types with Pyright
     runs-on: ${{ needs.matrix.outputs.defaultRunner }}
     needs: [matrix, buildNVDA]
+    permissions:
+      contents: read
     steps:
     - name: Checkout cached build
       uses: actions/cache/restore@v5
@@ -171,6 +176,8 @@ jobs:
     name: Check po files for errors
     runs-on: ${{ needs.matrix.outputs.defaultRunner }}
     needs: matrix
+    permissions:
+      contents: read
     steps:
     - name: Checkout repository
       uses: actions/checkout@v6
@@ -202,6 +209,9 @@ jobs:
     name: Check translator comments
     runs-on: ${{ needs.matrix.outputs.defaultRunner }}
     needs: [matrix, buildNVDA]
+    permissions:
+      contents: read
+      actions: write
     steps:
     - name: Checkout cached build
       uses: actions/cache/restore@v5
@@ -231,6 +241,8 @@ jobs:
     name: Check license compatibility of dependencies
     runs-on: ${{ needs.matrix.outputs.defaultRunner }}
     needs: [matrix, buildNVDA]
+    permissions:
+      contents: read
     steps:
     - name: Checkout cached build
       uses: actions/cache/restore@v5
@@ -252,6 +264,9 @@ jobs:
     name: Run unit tests
     runs-on: ${{ needs.matrix.outputs.defaultRunner }}
     needs: [matrix, buildNVDA]
+    permissions:
+      contents: read
+      actions: write
     strategy:
       fail-fast: false
       matrix:
@@ -302,6 +317,8 @@ jobs:
     runs-on: ${{ needs.matrix.outputs.defaultRunner }}
     needs: [matrix, buildNVDA, checkPot]
     if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/beta' && vars.CROWDIN_PROJECT_ID }}
+    permissions:
+      contents: read
     steps:
     - name: Checkout cached build
       uses: actions/cache/restore@v5
@@ -332,6 +349,9 @@ jobs:
     runs-on: ${{ needs.matrix.outputs.defaultRunner }}
     needs: [matrix, buildNVDA]
     timeout-minutes: 35
+    permissions:
+      contents: read
+      actions: write
     strategy:
       fail-fast: false
       matrix:
@@ -425,6 +445,9 @@ jobs:
     runs-on: ${{ matrix.runner }}
     needs: [matrix, createLauncher]
     timeout-minutes: 10
+    permissions:
+      contents: read
+      actions: write
     strategy:
       fail-fast: false
       matrix:
@@ -508,6 +531,9 @@ jobs:
     name: Create symbols
     runs-on: ${{ needs.matrix.outputs.defaultRunner }}
     needs: [matrix, buildNVDA]
+    permissions:
+      contents: read
+      actions: write
     strategy:
       fail-fast: false
       matrix:
@@ -551,6 +577,8 @@ jobs:
     runs-on: ubuntu-latest
     if: always()
     needs: [buildNVDA, typeCheck, checkPo, checkPot, licenseCheck, unitTests, createLauncher, systemTests, createSymbols]
+    permissions:
+      contents: read
     steps:
     - name: Check if all tests pass
       uses: re-actors/alls-green@v1.2.2
@@ -560,8 +588,10 @@ jobs:
   uploadSymbols:
     name: Upload symbols
     runs-on: ${{ needs.matrix.outputs.defaultRunner }}
-    needs: [matrix, buildNvda]
+    needs: [matrix, buildNVDA]
     if: ${{ github.event_name == 'push' && vars.feature_uploadSymbolsToMozilla }}
+    permissions:
+      contents: read
     steps:
     - name: Checkout cached build
       uses: actions/cache/restore@v5

From af3f71498ffccbef052ab91feaab7e456bac429b Mon Sep 17 00:00:00 2001
From: Sean Budd <seanbudd123@gmail.com>
Date: Tue, 16 Jun 2026 15:33:10 +1000
Subject: [PATCH 2/3] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/testAndPublish.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/testAndPublish.yml b/.github/workflows/testAndPublish.yml
index fb63a91619c..4285dc78c38 100644
--- a/.github/workflows/testAndPublish.yml
+++ b/.github/workflows/testAndPublish.yml
@@ -448,6 +448,7 @@ jobs:
     permissions:
       contents: read
       actions: write
+      checks: write
     strategy:
       fail-fast: false
       matrix:

From 276efeebfc5cd1a287c8d4f8cf245d688f40cf86 Mon Sep 17 00:00:00 2001
From: Sean Budd <seanbudd123@gmail.com>
Date: Tue, 16 Jun 2026 15:40:20 +1000
Subject: [PATCH 3/3] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/testAndPublish.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/testAndPublish.yml b/.github/workflows/testAndPublish.yml
index 4285dc78c38..4aec13ee7a7 100644
--- a/.github/workflows/testAndPublish.yml
+++ b/.github/workflows/testAndPublish.yml
@@ -267,6 +267,7 @@ jobs:
     permissions:
       contents: read
       actions: write
+      checks: write
     strategy:
       fail-fast: false
       matrix: