From 3e9b4c264ed9308401b1abc334866007e735e767 Mon Sep 17 00:00:00 2001 From: "liudmyla.burkan" Date: Thu, 28 May 2026 18:31:45 +0200 Subject: [PATCH] DEVX-773: (AI GENERATED) add explicit permissions to workflow jobs Adds minimal required permissions block to comply with least-privilege principle. GitHub Actions defaults to broad permissions when none are specified. --- .github/workflows/validate-renovate-config.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/validate-renovate-config.yml b/.github/workflows/validate-renovate-config.yml index 1cd903e..f9c3c18 100644 --- a/.github/workflows/validate-renovate-config.yml +++ b/.github/workflows/validate-renovate-config.yml @@ -9,6 +9,8 @@ jobs: detect-modified-renovate-configs: name: Detect modified Renovate configuration files runs-on: ubuntu-latest + permissions: + contents: read outputs: matrix: ${{ steps.changed-renovate-configs.outputs.all_changed_files }} steps: @@ -27,6 +29,8 @@ jobs: validate-renovate-configs: name: Validate Renovate Configs runs-on: ubuntu-latest + permissions: + contents: read needs: [detect-modified-renovate-configs] if: ${{ needs.detect-modified-renovate-configs.outputs.matrix != '[]' }} strategy: @@ -51,10 +55,11 @@ jobs: collect-validation-results: # This job must always run and report a status since it is a required status check name: Renovate validation results collector - needs: + needs: - detect-modified-renovate-configs - validate-renovate-configs runs-on: ubuntu-latest + permissions: {} if: always() && !cancelled() steps: - name: All renovate config validation jobs passed