From 891287ec4f7880a502ba29b7a8f4db50785934bc Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:25:09 +0200 Subject: [PATCH 01/14] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/cron-checks.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/cron-checks.yml b/.github/workflows/cron-checks.yml index d66bcb6..935f09f 100644 --- a/.github/workflows/cron-checks.yml +++ b/.github/workflows/cron-checks.yml @@ -15,6 +15,10 @@ env: HOMEBREW_NO_INSTALL_CLEANUP: 1 # Disable cleanup for homebrew, we don't need it on CI GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +permissions: + actions: write + contents: read + jobs: build-and-test: name: Test LLC From 802b56f966301cded413b376d97be104101f5d73 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:25:11 +0200 Subject: [PATCH 02/14] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/release-merge.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release-merge.yml b/.github/workflows/release-merge.yml index 0176363..9a38d90 100644 --- a/.github/workflows/release-merge.yml +++ b/.github/workflows/release-merge.yml @@ -6,6 +6,10 @@ on: workflow_dispatch: +permissions: + contents: write + pull-requests: read + jobs: merge-release-to-main: name: Merge release to main From a7799aff7d14eea237faab4875c7ef824f618a78 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:25:12 +0200 Subject: [PATCH 03/14] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/release-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index 79117b3..207e969 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -3,6 +3,9 @@ name: "Publish new release" on: workflow_dispatch: +permissions: + contents: write + jobs: release: name: Publish new release From e13a99167bef74760241ed3e7d71c52919def23c Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:25:13 +0200 Subject: [PATCH 04/14] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/release-start.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release-start.yml b/.github/workflows/release-start.yml index 3dcd173..b5bf966 100644 --- a/.github/workflows/release-start.yml +++ b/.github/workflows/release-start.yml @@ -8,6 +8,10 @@ on: type: string required: true +permissions: + actions: write + contents: write + jobs: test-release: name: Start new release From b1b9adfef926c9c5de17cddab5d5f464b1cb1eb9 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:25:14 +0200 Subject: [PATCH 05/14] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/sdk-size-metrics.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/sdk-size-metrics.yml b/.github/workflows/sdk-size-metrics.yml index ec7e2d3..f0b176c 100644 --- a/.github/workflows/sdk-size-metrics.yml +++ b/.github/workflows/sdk-size-metrics.yml @@ -12,6 +12,10 @@ on: env: HOMEBREW_NO_INSTALL_CLEANUP: 1 # Disable cleanup for homebrew, we don't need it on CI +permissions: + contents: read + pull-requests: read + jobs: sdk_size: name: Metrics From d499001da87d41c64c8411064df57cfa75c8c805 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:25:15 +0200 Subject: [PATCH 06/14] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/smoke-checks.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/smoke-checks.yml b/.github/workflows/smoke-checks.yml index 9869b34..6100e6a 100644 --- a/.github/workflows/smoke-checks.yml +++ b/.github/workflows/smoke-checks.yml @@ -24,6 +24,11 @@ env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_PR_NUM: ${{ github.event.pull_request.number }} +permissions: + actions: write + contents: read + pull-requests: write + jobs: guard: name: Guard From dd26a827e539bdacc596fc14f07827f187873242 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:25:16 +0200 Subject: [PATCH 07/14] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/sonar.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml index 0259101..a6f096d 100644 --- a/.github/workflows/sonar.yml +++ b/.github/workflows/sonar.yml @@ -12,6 +12,9 @@ concurrency: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +permissions: + contents: read + jobs: sonar: runs-on: macos-15 From 34d855b4d8c4feccd78da14147c82a5b842b62d8 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:25:17 +0200 Subject: [PATCH 08/14] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/testflight.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/testflight.yml b/.github/workflows/testflight.yml index 473831b..103c679 100644 --- a/.github/workflows/testflight.yml +++ b/.github/workflows/testflight.yml @@ -22,6 +22,10 @@ on: env: HOMEBREW_NO_INSTALL_CLEANUP: 1 +permissions: + contents: read + pull-requests: read + jobs: deploy: runs-on: macos-15 From 5d424a3b144836d35d26a2a4c03997d6b145c5e3 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:25:18 +0200 Subject: [PATCH 09/14] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/update-copyright.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/update-copyright.yml b/.github/workflows/update-copyright.yml index bfa0799..6a78a1b 100644 --- a/.github/workflows/update-copyright.yml +++ b/.github/workflows/update-copyright.yml @@ -10,6 +10,9 @@ on: env: HOMEBREW_NO_INSTALL_CLEANUP: 1 # Disable cleanup for homebrew, we don't need it on CI +permissions: + contents: read + jobs: copyright: name: Copyright From 219a133a9b335e84cac9a5d1db8345d6a06dd526 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 17:30:38 +0200 Subject: [PATCH 10/14] ci: address CodeRabbit review feedback and fix workflow YAML --- .github/workflows/cron-checks.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/cron-checks.yml b/.github/workflows/cron-checks.yml index 935f09f..3d96e69 100644 --- a/.github/workflows/cron-checks.yml +++ b/.github/workflows/cron-checks.yml @@ -16,7 +16,6 @@ env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} permissions: - actions: write contents: read jobs: From 00707d5cf4257e467959b3bbdc35cffd565ffa26 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 17:30:41 +0200 Subject: [PATCH 11/14] ci: address CodeRabbit review feedback and fix workflow YAML --- .github/workflows/smoke-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/smoke-checks.yml b/.github/workflows/smoke-checks.yml index 6100e6a..7f13191 100644 --- a/.github/workflows/smoke-checks.yml +++ b/.github/workflows/smoke-checks.yml @@ -27,7 +27,7 @@ env: permissions: actions: write contents: read - pull-requests: write + pull-requests: read jobs: guard: From d1f0636600978676c52a6a5bfaceef6697cc42b6 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 17:30:43 +0200 Subject: [PATCH 12/14] ci: address CodeRabbit review feedback and fix workflow YAML --- .github/workflows/sonar.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml index a6f096d..a801180 100644 --- a/.github/workflows/sonar.yml +++ b/.github/workflows/sonar.yml @@ -13,6 +13,7 @@ env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} permissions: + actions: read contents: read jobs: From 31dd4554cb7ba55f463a10047c8fa120271c9609 Mon Sep 17 00:00:00 2001 From: Alexey Alter-Pesotskiy Date: Thu, 9 Jul 2026 12:28:56 +0100 Subject: [PATCH 13/14] [CI] Update permissions --- .github/workflows/release-merge.yml | 2 +- .github/workflows/release-publish.yml | 1 + .github/workflows/release-start.yml | 2 +- .github/workflows/sdk-size-metrics.yml | 1 + .github/workflows/testflight.yml | 2 +- .github/workflows/update-copyright.yml | 3 ++- 6 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-merge.yml b/.github/workflows/release-merge.yml index 9a38d90..5ca277f 100644 --- a/.github/workflows/release-merge.yml +++ b/.github/workflows/release-merge.yml @@ -8,7 +8,7 @@ on: permissions: contents: write - pull-requests: read + pull-requests: write jobs: merge-release-to-main: diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index 207e969..13636b0 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -5,6 +5,7 @@ on: permissions: contents: write + pull-requests: write jobs: release: diff --git a/.github/workflows/release-start.yml b/.github/workflows/release-start.yml index b5bf966..5876b1b 100644 --- a/.github/workflows/release-start.yml +++ b/.github/workflows/release-start.yml @@ -9,8 +9,8 @@ on: required: true permissions: - actions: write contents: write + pull-requests: write jobs: test-release: diff --git a/.github/workflows/sdk-size-metrics.yml b/.github/workflows/sdk-size-metrics.yml index f0b176c..67a19f6 100644 --- a/.github/workflows/sdk-size-metrics.yml +++ b/.github/workflows/sdk-size-metrics.yml @@ -13,6 +13,7 @@ env: HOMEBREW_NO_INSTALL_CLEANUP: 1 # Disable cleanup for homebrew, we don't need it on CI permissions: + actions: write contents: read pull-requests: read diff --git a/.github/workflows/testflight.yml b/.github/workflows/testflight.yml index 103c679..2d34e58 100644 --- a/.github/workflows/testflight.yml +++ b/.github/workflows/testflight.yml @@ -24,7 +24,7 @@ env: permissions: contents: read - pull-requests: read + pull-requests: write jobs: deploy: diff --git a/.github/workflows/update-copyright.yml b/.github/workflows/update-copyright.yml index 6a78a1b..79b81f5 100644 --- a/.github/workflows/update-copyright.yml +++ b/.github/workflows/update-copyright.yml @@ -11,7 +11,8 @@ env: HOMEBREW_NO_INSTALL_CLEANUP: 1 # Disable cleanup for homebrew, we don't need it on CI permissions: - contents: read + contents: write + pull-requests: write jobs: copyright: From f5a497c2c476bac3c41641ce6dccc54ff2ece43f Mon Sep 17 00:00:00 2001 From: Alexey Alter-Pesotskiy Date: Thu, 9 Jul 2026 13:19:57 +0100 Subject: [PATCH 14/14] Update smoke checks pr permission --- .github/workflows/smoke-checks.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/smoke-checks.yml b/.github/workflows/smoke-checks.yml index 7f13191..842b821 100644 --- a/.github/workflows/smoke-checks.yml +++ b/.github/workflows/smoke-checks.yml @@ -25,9 +25,8 @@ env: GITHUB_PR_NUM: ${{ github.event.pull_request.number }} permissions: - actions: write contents: read - pull-requests: read + pull-requests: write jobs: guard: