From dd598b60a0a801d07fba520ddc01ea4501d19d8e Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:31:23 +0200 Subject: [PATCH 1/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/android.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index 5d55506ec..33afaf4e3 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -6,6 +6,11 @@ on: pull_request: branches: [ main ] +permissions: + actions: write + contents: read + pull-requests: read + jobs: build: runs-on: ubuntu-latest From ba6b7d6576f10f30b1ef6387e6204f18e8ac1911 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:31:24 +0200 Subject: [PATCH 2/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/publish-snapshot.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish-snapshot.yml b/.github/workflows/publish-snapshot.yml index 367d54809..4c3d5cdfd 100644 --- a/.github/workflows/publish-snapshot.yml +++ b/.github/workflows/publish-snapshot.yml @@ -5,7 +5,10 @@ on: branches: - main workflow_dispatch: - + +permissions: + contents: read + jobs: publish: name: Snapshot build and publish From aac166c8e28822ce3d1cf7927c8ee272fbfce7a2 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:31:25 +0200 Subject: [PATCH 3/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f45a55ec9..7b952c30e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,6 +5,9 @@ on: types: [released] workflow_dispatch: +permissions: + contents: read + jobs: publish: name: Release build and publish From 0c3cefc2eaed80033639362ead38edceb46bd103 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:31:26 +0200 Subject: [PATCH 4/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/release-docs.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release-docs.yaml b/.github/workflows/release-docs.yaml index ab283654c..a5bffc813 100644 --- a/.github/workflows/release-docs.yaml +++ b/.github/workflows/release-docs.yaml @@ -6,6 +6,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: publish_dokka: name: Dokka docs