From e59e660f132746ae2140300aaf9e0d6436c9fdfa Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:27:04 +0200 Subject: [PATCH 01/13] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/browser.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/browser.yml b/.github/workflows/browser.yml index add756cf..d1390762 100644 --- a/.github/workflows/browser.yml +++ b/.github/workflows/browser.yml @@ -6,6 +6,10 @@ on: - 'main' pull_request: +permissions: + contents: read + pull-requests: read + jobs: browser: runs-on: ubuntu-latest From 987be40177ecb6f3570e49c7629c805537ab58e5 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:27:06 +0200 Subject: [PATCH 02/13] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/cloud.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/cloud.yml b/.github/workflows/cloud.yml index a62d1d9c..fbad2682 100644 --- a/.github/workflows/cloud.yml +++ b/.github/workflows/cloud.yml @@ -6,6 +6,10 @@ on: - 'main' pull_request: +permissions: + contents: read + pull-requests: read + jobs: qa: runs-on: ubuntu-latest From d00496cd2361ff55feefa3b686af47c48dd5e09c Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:27:07 +0200 Subject: [PATCH 03/13] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/initiate_release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/initiate_release.yml b/.github/workflows/initiate_release.yml index 878213aa..ec49fad7 100644 --- a/.github/workflows/initiate_release.yml +++ b/.github/workflows/initiate_release.yml @@ -7,6 +7,10 @@ on: description: "The new version number with 'v' prefix. Example: v1.40.1" required: true +permissions: + contents: write + pull-requests: write + jobs: init_release: name: 🚀 Create release PR From 5f954e8f4d73ee35fe1a5cfae5c49525f8382de7 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:27:08 +0200 Subject: [PATCH 04/13] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/integration.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index d1188786..a5af721a 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -6,6 +6,10 @@ on: - 'main' pull_request: +permissions: + contents: read + pull-requests: read + jobs: integration: runs-on: ubuntu-latest From e603ff06bc800ae10823356c1cc2b089f6dcf702 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:27:09 +0200 Subject: [PATCH 05/13] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/lint.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index af17043c..6857adff 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -6,6 +6,10 @@ on: - 'main' pull_request: +permissions: + contents: read + pull-requests: read + jobs: lint: runs-on: ubuntu-latest From 027bcf218dbbe6f6436c7bb46eaad3a50a047dcc Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:27:10 +0200 Subject: [PATCH 06/13] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/size.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/size.yml b/.github/workflows/size.yml index a83e86e2..64107adf 100644 --- a/.github/workflows/size.yml +++ b/.github/workflows/size.yml @@ -8,6 +8,10 @@ on: - 'test/**' - '**.md' +permissions: + contents: read + pull-requests: read + jobs: build: runs-on: ubuntu-latest From 3d71a43c3cf62098984b2675596a2b4c50fbdcac Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:27:11 +0200 Subject: [PATCH 07/13] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/type.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/type.yml b/.github/workflows/type.yml index 7e2b770e..2ef10d42 100644 --- a/.github/workflows/type.yml +++ b/.github/workflows/type.yml @@ -6,6 +6,10 @@ on: - 'main' pull_request: +permissions: + contents: read + pull-requests: read + jobs: types: runs-on: ubuntu-latest From 71c6ae496694fb488c7488626fdd7f832a616d39 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Tue, 14 Jul 2026 13:54:00 +0200 Subject: [PATCH 08/13] fix(ci): align workflow token permissions with actual operations --- .github/workflows/browser.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/browser.yml b/.github/workflows/browser.yml index d1390762..57605d5a 100644 --- a/.github/workflows/browser.yml +++ b/.github/workflows/browser.yml @@ -8,7 +8,6 @@ on: permissions: contents: read - pull-requests: read jobs: browser: From 0a9241de8fd63a0a8560c95b32110d08445edfb8 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Tue, 14 Jul 2026 13:54:01 +0200 Subject: [PATCH 09/13] fix(ci): align workflow token permissions with actual operations --- .github/workflows/cloud.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/cloud.yml b/.github/workflows/cloud.yml index fbad2682..b1f96267 100644 --- a/.github/workflows/cloud.yml +++ b/.github/workflows/cloud.yml @@ -8,7 +8,6 @@ on: permissions: contents: read - pull-requests: read jobs: qa: From 5cedf9b3dc4f98e07d56968c2c2ad1a32498ae66 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Tue, 14 Jul 2026 13:54:02 +0200 Subject: [PATCH 10/13] fix(ci): align workflow token permissions with actual operations --- .github/workflows/integration.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index a5af721a..fb03d1df 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -8,7 +8,6 @@ on: permissions: contents: read - pull-requests: read jobs: integration: From 19a3284eff2bba6469cf180949b12df1684eb1c8 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Tue, 14 Jul 2026 13:54:03 +0200 Subject: [PATCH 11/13] fix(ci): align workflow token permissions with actual operations --- .github/workflows/lint.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 6857adff..61474dbd 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -8,7 +8,6 @@ on: permissions: contents: read - pull-requests: read jobs: lint: From 649f12f84dd644347afea883edd8baf54189f709 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Tue, 14 Jul 2026 13:54:04 +0200 Subject: [PATCH 12/13] fix(ci): align workflow token permissions with actual operations --- .github/workflows/size.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/size.yml b/.github/workflows/size.yml index 64107adf..7e11c0f0 100644 --- a/.github/workflows/size.yml +++ b/.github/workflows/size.yml @@ -10,7 +10,6 @@ on: permissions: contents: read - pull-requests: read jobs: build: From 26dc36f590d19cd5112d1e2b5a468ee692cd29da Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Tue, 14 Jul 2026 13:54:06 +0200 Subject: [PATCH 13/13] fix(ci): align workflow token permissions with actual operations --- .github/workflows/type.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/type.yml b/.github/workflows/type.yml index 2ef10d42..a8b36d54 100644 --- a/.github/workflows/type.yml +++ b/.github/workflows/type.yml @@ -8,7 +8,6 @@ on: permissions: contents: read - pull-requests: read jobs: types: