From f669f152bda31cedd8f136fa7cbc1807279de0ab Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:39:43 +0200 Subject: [PATCH 1/3] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index aa815b0..846bdd7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,12 @@ on: pull_request: branches: - master + +permissions: + actions: write + contents: read + pull-requests: read + jobs: test: runs-on: ubuntu-latest From 0dcc6f52b8a2d92d1683bbb68a443e9ebf1fa99d Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Fri, 10 Jul 2026 14:40:03 +0200 Subject: [PATCH 2/3] CI: upgrade actions/cache from v2 to v4 GitHub now auto-fails workflows using deprecated actions/cache v1/v2. The existing actions: write permission already satisfies cache v4 requirements. --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 846bdd7..7500b59 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,7 +25,7 @@ jobs: node-version: ${{ matrix.node }} - name: Cache Dependencies - uses: actions/cache@v2 + uses: actions/cache@v4 with: path: ./node_modules key: ${{ runner.os }}-${{ matrix.node }}-modules-${{ hashFiles('**/yarn.lock') }} From f3b813b85a2681e3f33f15f88fc4b22a6433f675 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Tue, 14 Jul 2026 13:57:40 +0200 Subject: [PATCH 3/3] fix(ci): align workflow token permissions with actual operations --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7500b59..9c0f762 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,6 @@ on: permissions: actions: write contents: read - pull-requests: read jobs: test: