From e5d06f0419ff6a7a2ce2778870446cb71f4227ab Mon Sep 17 00:00:00 2001 From: Panagiotis Siatras Date: Wed, 20 May 2026 14:51:06 +0300 Subject: [PATCH 1/2] gh: aligned workflow permissions with smallstep/workflows#324 --- .github/workflows/actionci.yml | 1 + .github/workflows/triage.yml | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/actionci.yml b/.github/workflows/actionci.yml index 9a3f9e2..f8482e6 100644 --- a/.github/workflows/actionci.yml +++ b/.github/workflows/actionci.yml @@ -16,6 +16,7 @@ jobs: actionci: permissions: contents: read + actions: read security-events: write uses: smallstep/workflows/.github/workflows/actionci.yml@main secrets: inherit diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml index d6e1e43..534b2d3 100644 --- a/.github/workflows/triage.yml +++ b/.github/workflows/triage.yml @@ -15,6 +15,5 @@ jobs: permissions: contents: read issues: write - pull-requests: write uses: smallstep/workflows/.github/workflows/triage.yml@main secrets: inherit From b8918021e36f2f0ded585b976a90b260944f5cc2 Mon Sep 17 00:00:00 2001 From: Panagiotis Siatras Date: Wed, 20 May 2026 16:29:10 +0300 Subject: [PATCH 2/2] gh: forwarded codeql secrets through code-scan-cron.yml --- .github/workflows/code-scan-cron.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/code-scan-cron.yml b/.github/workflows/code-scan-cron.yml index 7d59d23..c0388a3 100644 --- a/.github/workflows/code-scan-cron.yml +++ b/.github/workflows/code-scan-cron.yml @@ -2,13 +2,11 @@ on: schedule: - cron: '0 0 * * SUN' -permissions: - actions: read - contents: read - security-events: write - jobs: code-scan: + permissions: + actions: read + contents: read + security-events: write uses: smallstep/workflows/.github/workflows/code-scan.yml@main - secrets: - GITLEAKS_LICENSE_KEY: ${{ secrets.GITLEAKS_LICENSE_KEY }} + secrets: inherit