From a106cbf3c868259d672643b73221de8b4a3bf771 Mon Sep 17 00:00:00 2001 From: Emal Alwis Date: Wed, 15 Apr 2026 00:08:22 -0700 Subject: [PATCH] ci: add minimum workflow permissions (CodeQL actions/missing-workflow-permissions) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds `permissions: contents: read` at the workflow level to ci.yml, client-ci.yml, and client-e2e.yml. These workflows only checkout code and run tests/builds — no writes to the repo or issues required. Explicitly declaring minimum permissions resolves the 7 open CodeQL alerts for actions/missing-workflow-permissions and follows the least-privilege best practice. The other workflows (release.yml, release-e2e.yml, docker.yml, docs.yml, evals-*.yml, client-release.yml, client-playwright.yml) already declare permissions. --- .github/workflows/ci.yml | 3 +++ .github/workflows/client-ci.yml | 3 +++ .github/workflows/client-e2e.yml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 49c59ff..bd84885 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [main] +permissions: + contents: read + env: CARGO_TERM_COLOR: always RUSTFLAGS: "-D warnings" diff --git a/.github/workflows/client-ci.yml b/.github/workflows/client-ci.yml index 23f9d99..63a4b10 100644 --- a/.github/workflows/client-ci.yml +++ b/.github/workflows/client-ci.yml @@ -11,6 +11,9 @@ on: - 'client/**' - 'packages/agent_code_client/**' +permissions: + contents: read + jobs: test: name: Dart tests diff --git a/.github/workflows/client-e2e.yml b/.github/workflows/client-e2e.yml index cab802e..9f85e11 100644 --- a/.github/workflows/client-e2e.yml +++ b/.github/workflows/client-e2e.yml @@ -8,6 +8,9 @@ on: - 'packages/agent_code_client/**' - 'crates/cli/src/serve.rs' +permissions: + contents: read + jobs: e2e: name: E2E tests (agent + WebSocket + LLM)