Skip to content

Add explicit permissions blocks to all workflows missing them#442

Merged
AnthonyRonning merged 1 commit intomasterfrom
devin/1772053214-add-workflow-permissions
Feb 25, 2026
Merged

Add explicit permissions blocks to all workflows missing them#442
AnthonyRonning merged 1 commit intomasterfrom
devin/1772053214-add-workflow-permissions

Conversation

@devin-ai-integration
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration bot commented Feb 25, 2026
edited
Loading

Summary

Adds permissions: contents: read to 5 GitHub Actions workflows that were missing explicit permission declarations, addressing a CodeQL security warning. This follows the principle of least privilege by restricting the GITHUB_TOKEN to read-only access.

Workflows updated:

  • mobile-build.yml
  • android-build.yml
  • desktop-build.yml
  • frontend-tests.yml
  • rust-tests.yml

Already had permissions (no changes needed):

  • claude.yml
  • release.yml
  • zapstore-publish.yml
  • testflight-on-comment.yml

Review & Testing Checklist for Human

  • Verify desktop-build.yml works correctly with contents: read — it passes GITHUB_TOKEN to tauri-apps/tauri-action@v0. In CI mode (non-release) this should be fine since it's just building, but confirm the action doesn't attempt any write operations during PR/push builds.
  • Confirm all 5 affected CI workflows pass on this PR (they only need checkout, caching, and artifact upload, which all work with read-only access).

Notes

Open with Devin

@devin-ai-integration
Add explicit permissions blocks to all workflows missing them
31201ab 
Add 'permissions: contents: read' to mobile-build, android-build,
desktop-build, rust-tests, and frontend-tests workflows.

This follows the principle of least privilege for the GITHUB_TOKEN,
limiting it to only read access which is sufficient for checkout,
caching, and upload-artifact operations. The remaining workflows
(claude, release, zapstore-publish, testflight-on-comment) already
had explicit permissions blocks.

Co-Authored-By: unknown <>
@devin-ai-integration
Copy link
Copy Markdown
Contributor Author

devin-ai-integration bot commented Feb 25, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages bot commented Feb 25, 2026

Deploying maple with  Cloudflare Pages  Cloudflare Pages

Latest commit: 31201ab
Status: ✅  Deploy successful!
Preview URL: https://ccb9b68c.maple-ca8.pages.dev
Branch Preview URL: https://devin-1772053214-add-workflo.maple-ca8.pages.dev

View logs

devin-ai-integration[bot]
devin-ai-integration bot commented Feb 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

Open in Devin Review

@AnthonyRonning AnthonyRonning merged commit 30cdf64 into master Feb 25, 2026
12 checks passed
@AnthonyRonning AnthonyRonning deleted the devin/1772053214-add-workflow-permissions branch February 25, 2026 21:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AnthonyRonning AnthonyRonning Awaiting requested review from AnthonyRonning

Assignees

@AnthonyRonning AnthonyRonning

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AnthonyRonning