From 364e52b70af2e6ecf1a5811f8dff2dce299941b5 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:28:38 +0200 Subject: [PATCH 1/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 847182be1..419bcb612 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,12 @@ on: env: BUILD_CACHE_KEY: ${{ github.sha }}-dist + +permissions: + actions: write + contents: read + pull-requests: read + jobs: lint: runs-on: ubuntu-latest From f5fcafa4a9141d53296475c9315b82fcad8f414c Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:28:39 +0200 Subject: [PATCH 2/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/pr-check.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml index 95c0aae2c..983c63872 100644 --- a/.github/workflows/pr-check.yml +++ b/.github/workflows/pr-check.yml @@ -4,6 +4,10 @@ on: pull_request: types: [opened, edited, synchronize, reopened] +permissions: + contents: read + pull-requests: read + jobs: pr-title: name: Validate PR Title From 703f693ecff583b54abb1aa60d2ce979394a3e90 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:28:40 +0200 Subject: [PATCH 3/4] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/size.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/size.yml b/.github/workflows/size.yml index 6f593d79c..1c59a94c0 100644 --- a/.github/workflows/size.yml +++ b/.github/workflows/size.yml @@ -10,6 +10,10 @@ on: env: NODE_OPTIONS: --max_old_space_size=4096 +permissions: + contents: read + pull-requests: read + jobs: compressed-size: name: Compressed Size From 23c18620994d825cac7e281a9244888828c8c4af Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 16:08:52 +0200 Subject: [PATCH 4/4] Address CodeRabbit review feedback on workflow permissions. Scope actions: write to the build job that saves the cache, and grant pull-requests: write so compressed-size-action can post PR comments. Co-authored-by: Cursor --- .github/workflows/ci.yml | 4 +++- .github/workflows/size.yml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 419bcb612..766d64dce 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,6 @@ env: BUILD_CACHE_KEY: ${{ github.sha }}-dist permissions: - actions: write contents: read pull-requests: read @@ -31,6 +30,9 @@ jobs: build: runs-on: ubuntu-latest + permissions: + actions: write + contents: read name: Build & Validate steps: - uses: actions/checkout@v6 diff --git a/.github/workflows/size.yml b/.github/workflows/size.yml index 1c59a94c0..92ec10160 100644 --- a/.github/workflows/size.yml +++ b/.github/workflows/size.yml @@ -12,7 +12,7 @@ env: permissions: contents: read - pull-requests: read + pull-requests: write jobs: compressed-size: