Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/apk-s3-distribute.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:
types:
- completed

permissions:
contents: read

jobs:
build_ui_components_sample_app:
name: Build and push to S3
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/app-distribute-v7.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
- v7
workflow_dispatch:

permissions:
contents: read

jobs:
build_compose_sample_app:
name: Build and Distribute Compose Sample App
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/app-distribute.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:
- develop
- main

permissions:
contents: read

jobs:
build_ui_components_sample_app:
name: Build and Distribute UI Components Sample App
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/build-and-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read
pull-requests: read

Comment on lines +13 to +16

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Invalid YAML — workflow will fail to parse.

pull-requests: read is over-indented under contents: read, which is not valid YAML (a scalar value cannot have a nested mapping). Confirmed by both actionlint and yamllint. This breaks the entire workflow file at parse time.

🐛 Proposed fix
 permissions:
   contents: read
-    pull-requests: read
+  pull-requests: read
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
pull-requests: read
permissions:
contents: read
pull-requests: read
🧰 Tools
🪛 actionlint (1.7.12)

[error] 15-15: could not parse as YAML: mapping values are not allowed in this context

(syntax-check)

🪛 YAMLlint (1.37.1)

[error] 15-15: syntax error: mapping values are not allowed here

(syntax)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-and-test.yml around lines 13 - 16, The workflow YAML
has an invalid indentation in the permissions block, causing the file to fail
parsing. Fix the permissions section in the build-and-test workflow so that
pull-requests: read is aligned as a sibling of contents: read, not nested under
it. Use the permissions mapping near the top of the workflow as the reference
point and ensure the YAML structure is valid for GitHub Actions and
actionlint/yamllint.

Source: Linters/SAST tools

jobs:
debug_build:
name: Debug build
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/clean-detekt-baseline.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
# Every midnight
- cron: "0 0 * * *"

permissions:
contents: read
pull-requests: read

Comment on lines +8 to +11

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Invalid YAML — workflow will fail to parse.

Same indentation defect as in build-and-test.yml: pull-requests: read is nested under the scalar contents: read, which is invalid YAML. Confirmed by actionlint/yamllint.

🐛 Proposed fix
 permissions:
   contents: read
-    pull-requests: read
+  pull-requests: read
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
pull-requests: read
permissions:
contents: read
pull-requests: read
🧰 Tools
🪛 actionlint (1.7.12)

[error] 10-10: could not parse as YAML: mapping values are not allowed in this context

(syntax-check)

🪛 YAMLlint (1.37.1)

[error] 10-10: syntax error: mapping values are not allowed here

(syntax)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/clean-detekt-baseline.yaml around lines 8 - 11, The
workflow YAML is invalid because `pull-requests: read` is indented under
`contents: read` instead of being a sibling permission entry. Fix the
permissions block in the workflow so the `permissions` mapping has separate
`contents` and `pull-requests` keys at the same indentation level, matching the
valid pattern used elsewhere in the repo.

Source: Linters/SAST tools

jobs:
clean_detekt_baseline_files:
name: Clean Detekt Baseline Files
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/e2e-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ env:
BUILD_CACHE_AWS_ACCESS_KEY_ID: ${{ secrets.BUILD_CACHE_AWS_ACCESS_KEY_ID }}
BUILD_CACHE_AWS_SECRET_KEY: ${{ secrets.BUILD_CACHE_AWS_SECRET_KEY }}

permissions:
contents: read

jobs:
build:
name: ${{ inputs.app }} apks
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/e2e-test-backend.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ env:
BUILD_CACHE_AWS_SECRET_KEY: ${{ secrets.BUILD_CACHE_AWS_SECRET_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

permissions:
contents: read

jobs:
test-backend-integration:
name: Test Backend Integration
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/e2e-test-cron.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@
group: ${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

Check notice

Code scanning / SonarCloud

Read permissions should be defined at the job level Low

Move this read permission from workflow level to job level. See more on SonarQube Cloud

Check warning on line 21 in .github/workflows/e2e-test-cron.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Move this read permission from workflow level to job level.

See more on https://sonarcloud.io/project/issues?id=GetStream_stream-chat-android&issues=AZ826ceBf4dmyWW2Z-ZH&open=AZ826ceBf4dmyWW2Z-ZH&pullRequest=6545

env:
BUILD_CACHE_AWS_REGION: ${{ secrets.BUILD_CACHE_AWS_REGION }}
BUILD_CACHE_AWS_BUCKET: ${{ secrets.BUILD_CACHE_AWS_BUCKET }}
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/e2e-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ concurrency:
group: ${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

env:
BUILD_CACHE_AWS_REGION: ${{ secrets.BUILD_CACHE_AWS_REGION }}
BUILD_CACHE_AWS_BUCKET: ${{ secrets.BUILD_CACHE_AWS_BUCKET }}
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/no-response.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ on:
# Every midnight
- cron: '0 0 * * *'

permissions:
issues: write
pull-requests: write

Comment on lines +10 to +13

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win

Invalid YAML indentation breaks the entire workflow.

pull-requests: write is nested under issues: write instead of being a sibling mapping key. actionlint and yamllint both report could not parse as YAML: mapping values are not allowed in this context at this line, which will prevent the workflow from parsing/running at all.

🔧 Fix indentation
 permissions:
   issues: write
-    pull-requests: write
+  pull-requests: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
issues: write
pull-requests: write
permissions:
issues: write
pull-requests: write
🧰 Tools
🪛 actionlint (1.7.12)

[error] 12-12: could not parse as YAML: mapping values are not allowed in this context

(syntax-check)

🪛 YAMLlint (1.37.1)

[error] 12-12: syntax error: mapping values are not allowed here

(syntax)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/no-response.yml around lines 10 - 13, The workflow YAML
has invalid indentation in the permissions block, causing the file to fail
parsing. Fix the permissions mapping so pull-requests is aligned as a sibling of
issues in the no-response workflow, and verify the workflow remains valid YAML
after the indentation correction.

Source: Linters/SAST tools

jobs:
noResponse:
runs-on: ubuntu-22.04
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/pr-checks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ concurrency:
group: ${{ github.head_ref }}
cancel-in-progress: true

permissions:
contents: read
pull-requests: read

Comment on lines +9 to +12

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win

Invalid YAML indentation breaks the entire workflow.

pull-requests: read is nested under contents: read instead of being a sibling mapping key, which is invalid YAML. Static analysis confirms this: actionlint reports could not parse as YAML: mapping values are not allowed in this context and yamllint reports a matching syntax error. This will cause the whole workflow to fail to run.

🔧 Fix indentation
 permissions:
   contents: read
-    pull-requests: read
+  pull-requests: read
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
pull-requests: read
permissions:
contents: read
pull-requests: read
🧰 Tools
🪛 actionlint (1.7.12)

[error] 11-11: could not parse as YAML: mapping values are not allowed in this context

(syntax-check)

🪛 YAMLlint (1.37.1)

[error] 11-11: syntax error: mapping values are not allowed here

(syntax)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-checks.yml around lines 9 - 12, The workflow
permissions block has invalid YAML because pull-requests: read is indented as a
child of contents: read instead of a sibling entry. Fix the permissions mapping
in pr-checks.yml so contents and pull-requests are aligned under permissions,
using the existing permissions block near the workflow top-level.

Source: Linters/SAST tools

jobs:
base-android-ci:
uses: GetStream/stream-build-conventions-android/.github/workflows/android-ci.yml@v0.13.1
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/publish-new-version.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ concurrency:
group: release
cancel-in-progress: false

permissions:
contents: read

jobs:
pre_release_check:
name: Pre release check
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/sdk-size-updates.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ concurrency:
group: ${{ github.workflow }}
cancel-in-progress: true

permissions:
pull-requests: write

jobs:
update-sdk-sizes:
uses: GetStream/stream-build-conventions-android/.github/workflows/sdk-size-updates.yml@v0.13.1
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/snapshot-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_PR_NUM: ${{ github.event.pull_request.number }}

permissions:
contents: read
pull-requests: read

Comment on lines +18 to +21

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win

Invalid YAML indentation breaks the entire workflow.

pull-requests: read is nested under contents: read rather than being a sibling key. actionlint and yamllint both flag could not parse as YAML: mapping values are not allowed in this context at this line.

🔧 Fix indentation
 permissions:
   contents: read
-    pull-requests: read
+  pull-requests: read
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
pull-requests: read
permissions:
contents: read
pull-requests: read
🧰 Tools
🪛 actionlint (1.7.12)

[error] 20-20: could not parse as YAML: mapping values are not allowed in this context

(syntax-check)

🪛 YAMLlint (1.37.1)

[error] 20-20: syntax error: mapping values are not allowed here

(syntax)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/snapshot-test.yaml around lines 18 - 21, The workflow YAML
is invalid because the permissions block in snapshot-test.yaml has incorrect
indentation, causing parse failures. Update the permissions mapping so
pull-requests: read is aligned as a sibling of contents: read under the
permissions section, and verify the workflow remains valid for actionlint and
yamllint.

Source: Linters/SAST tools


🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow around the referenced lines.
if [ -f .github/workflows/snapshot-test.yaml ]; then
  nl -ba .github/workflows/snapshot-test.yaml | sed -n '1,140p'
fi

# Look for the create-pull-request action usage in this workflow.
rg -n "create-pull-request|record ==|permissions:|pull-requests:|contents:" .github/workflows/snapshot-test.yaml || true

Repository: GetStream/stream-chat-android

Length of output: 207


🏁 Script executed:

#!/bin/bash
set -euo pipefail

if [ -f .github/workflows/snapshot-test.yaml ]; then
  sed -n '1,140p' .github/workflows/snapshot-test.yaml
fi

printf '\n--- matches ---\n'
rg -n "create-pull-request|record ==|permissions:|pull-requests:|contents:" .github/workflows/snapshot-test.yaml || true

Repository: GetStream/stream-chat-android

Length of output: 2277


🌐 Web query:

peter-evans/create-pull-request@v8 permissions contents write pull-requests write default GITHUB_TOKEN documentation

💡 Result:

To use peter-evans/create-pull-request@v8 with the default GITHUB_TOKEN, you must explicitly elevate the token's permissions in your workflow file [1][2]. For repositories created after February 2, 2023, the default GITHUB_TOKEN permissions are read-only, which prevents the action from creating or updating pull requests [3][1]. To grant the necessary access, include the following permissions block in your workflow job [1][2]: permissions: contents: write pull-requests: write Additionally, you must ensure that GitHub Actions is permitted to create pull requests in your repository settings. Navigate to your repository's Settings > Actions > General > Workflow permissions and ensure that "Allow GitHub Actions to create and approve pull requests" is enabled [1][2][4]. Important considerations: - Forked repositories: If a workflow is triggered by a pull request from a fork, the GITHUB_TOKEN will have read-only access regardless of your permission settings [5][6][7]. In such cases, the action will fail to create pull requests [6][7]. - Triggering further workflows: Pull requests created by the default GITHUB_TOKEN will not trigger subsequent on: push or on: pull_request workflows [1][6]. If you require downstream workflows to run automatically, you must use a Personal Access Token (PAT) or a GitHub App token instead [1][8][2].

Citations:


Grant write access for create-pull-request

peter-evans/create-pull-request@v8 runs with the default GITHUB_TOKEN here, so record: true needs contents: write and pull-requests: write; read will cause that step to fail.

🔧 Suggested permissions
 permissions:
-  contents: read
-  pull-requests: read
+  contents: write
+  pull-requests: write
🧰 Tools
🪛 actionlint (1.7.12)

[error] 20-20: could not parse as YAML: mapping values are not allowed in this context

(syntax-check)

🪛 YAMLlint (1.37.1)

[error] 20-20: syntax error: mapping values are not allowed here

(syntax)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/snapshot-test.yaml around lines 18 - 21, The workflow
permissions are too restrictive for the snapshot creation step. Update the
permissions block used by the `peter-evans/create-pull-request@v8` step in the
snapshot test workflow so `GITHUB_TOKEN` has write access, specifically
`contents: write` and `pull-requests: write`, instead of read-only access. Keep
the change scoped to the workflow permissions section associated with the
create-pull-request job.

jobs:
run_snapshot_tests:
name: Run
Expand Down
Loading