From 409568c8f3fac2bad121d34eca35044e7e8e1942 Mon Sep 17 00:00:00 2001 From: Nikita Vasilev Date: Sun, 23 Nov 2025 12:54:29 +0400 Subject: [PATCH] chore(ci): add explicit permissions to satisfy CodeQL --- .github/workflows/ci.yml | 3 +++ .github/workflows/conventional-pr.yml | 4 ++++ .github/workflows/danger.yml | 4 ++++ .github/workflows/lint.yml | 2 ++ 4 files changed, 13 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 59851ff..f5fe286 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,6 +18,9 @@ on: - "Sources/**" - "Tests/**" +permissions: + contents: read + concurrency: group: validator-${{ github.head_ref }} cancel-in-progress: true diff --git a/.github/workflows/conventional-pr.yml b/.github/workflows/conventional-pr.yml index e132e0c..11eb4a0 100644 --- a/.github/workflows/conventional-pr.yml +++ b/.github/workflows/conventional-pr.yml @@ -8,6 +8,10 @@ on: - opened - edited - synchronize +permissions: + contents: read + pull-requests: read + statuses: write jobs: lint-pr: runs-on: ubuntu-latest diff --git a/.github/workflows/danger.yml b/.github/workflows/danger.yml index 5461722..1533692 100644 --- a/.github/workflows/danger.yml +++ b/.github/workflows/danger.yml @@ -8,6 +8,10 @@ env: LC_CTYPE: en_US.UTF-8 LANG: en_US.UTF-8 +permissions: + contents: read + pull-requests: write + jobs: run-danger: runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 0553a6f..19dfb94 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -29,6 +29,8 @@ jobs: discover-typos: name: discover-typos runs-on: macos-15 + permissions: + contents: read env: DEVELOPER_DIR: /Applications/Xcode_16.4.app/Contents/Developer steps: