From 0040710ef4470ef1b22e593478bff316122405c2 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Sat, 18 Apr 2026 01:54:08 +0000
Subject: [PATCH 1/2] fix: add explicit empty permissions to docs-broken-links
 workflow

This addresses CodeQL alert #1 (actions/missing-workflow-permissions).
The workflow checks for broken links in docs using Mintlify CLI and
doesn't require any GitHub token access. Adding permissions: {} ensures
the workflow runs with minimal privileges, reducing supply-chain risk.

Co-authored-by: Michael Sukkarieh <msukkari@users.noreply.github.com>
---
 .github/workflows/docs-broken-links.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/docs-broken-links.yml b/.github/workflows/docs-broken-links.yml
index 4e410c496..9f130839e 100644
--- a/.github/workflows/docs-broken-links.yml
+++ b/.github/workflows/docs-broken-links.yml
@@ -1,5 +1,7 @@
 name: Check for broken links in docs
 
+permissions: {}
+
 on:
   pull_request:
     branches: ["main"]

From b1aad963c26b3265266f9d9247a6b2f998907049 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Sat, 18 Apr 2026 01:54:45 +0000
Subject: [PATCH 2/2] chore: add CHANGELOG entry for workflow permissions fix

Co-authored-by: Michael Sukkarieh <msukkari@users.noreply.github.com>
---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 454eebecd..f167a0ae5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 - Fixed revision selection so the 64-revision cap prefers the newest matching branches and tags instead of pruning by ref-name order. [#1122](https://github.com/sourcebot-dev/sourcebot/pull/1122)
 - Fixed infinite pagination loop in Gitea/Forgejo when an API token can only see a subset of org repos (the `x-total-count` header reports org total while token returns fewer items). [#1130](https://github.com/sourcebot-dev/sourcebot/pull/1130)
+- Fixed missing workflow permissions in `docs-broken-links.yml` by adding explicit `permissions: {}` to follow least privilege principle. [#1131](https://github.com/sourcebot-dev/sourcebot/pull/1131)
 
 ## [4.16.11] - 2026-04-17