From 142637f4a36203c472690c7159f86d639046187e Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Wed, 8 Jul 2026 13:38:35 +0200 Subject: [PATCH 1/2] CI: add least-privilege permissions to GitHub Actions workflows Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164 --- .github/workflows/android.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index 3604cfc..1a974f3 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -6,6 +6,11 @@ on: pull_request: branches: [ main ] +permissions: + actions: write + contents: read + pull-requests: read + jobs: build: runs-on: ubuntu-latest From 63d910e8102ee78618431cac97256bfb41ee0612 Mon Sep 17 00:00:00 2001 From: Peter Matkovski Date: Fri, 10 Jul 2026 14:39:59 +0200 Subject: [PATCH 2/2] CI: upgrade actions/cache from v2 to v4 GitHub now auto-fails workflows using deprecated actions/cache v1/v2. The existing actions: write permission already satisfies cache v4 requirements. --- .github/workflows/android.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index 1a974f3..53ec139 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -23,7 +23,7 @@ jobs: java-version: 11 - name: Cache Gradle and wrapper - uses: actions/cache@v2 + uses: actions/cache@v4 with: path: | ~/.gradle/caches