From b4b4425e8e346d8f54584fb9144917314dda786f Mon Sep 17 00:00:00 2001 From: Cory Bullinger Date: Thu, 4 Jun 2026 10:08:11 -0400 Subject: [PATCH 1/4] chore(ci): add explicit GITHUB_TOKEN permissions to workflows Set minimal permissions on all workflows to resolve CodeQL actions/missing-workflow-permissions findings (#1-#8). Co-authored-by: Cursor --- .github/workflows/Security-Notification.yml | 3 +++ .github/workflows/audit-python-fastapi.yml | 3 +++ .github/workflows/audit-tanstack.yml | 3 +++ .github/workflows/new-issue-notify.yml | 1 + .github/workflows/run-express-tests.yml | 4 ++++ .github/workflows/run-java-spring-boot-tests.yml | 4 ++++ .github/workflows/run-python-tests.yml | 4 ++++ .github/workflows/run-tanstack-tests.yml | 4 ++++ 8 files changed, 26 insertions(+) diff --git a/.github/workflows/Security-Notification.yml b/.github/workflows/Security-Notification.yml index c532741..a820c20 100644 --- a/.github/workflows/Security-Notification.yml +++ b/.github/workflows/Security-Notification.yml @@ -7,6 +7,9 @@ on: # Allows you to test manually workflow_dispatch: +permissions: + contents: read + jobs: check-alerts: runs-on: ubuntu-latest diff --git a/.github/workflows/audit-python-fastapi.yml b/.github/workflows/audit-python-fastapi.yml index a5d51c0..fc3ab7b 100644 --- a/.github/workflows/audit-python-fastapi.yml +++ b/.github/workflows/audit-python-fastapi.yml @@ -7,6 +7,9 @@ on: paths: - 'mflix/server/python-fastapi/**' +permissions: + contents: read + jobs: audit: name: pip-audit (Python FastAPI) diff --git a/.github/workflows/audit-tanstack.yml b/.github/workflows/audit-tanstack.yml index 99e6dd1..60903ed 100644 --- a/.github/workflows/audit-tanstack.yml +++ b/.github/workflows/audit-tanstack.yml @@ -8,6 +8,9 @@ on: paths: - 'frameworks/javascript/tanstack/**' +permissions: + contents: read + jobs: audit: name: npm audit (TanStack) diff --git a/.github/workflows/new-issue-notify.yml b/.github/workflows/new-issue-notify.yml index c4776fe..61620cd 100644 --- a/.github/workflows/new-issue-notify.yml +++ b/.github/workflows/new-issue-notify.yml @@ -5,6 +5,7 @@ on: issues: types: [opened] +permissions: {} jobs: notify_slack_on_issue: diff --git a/.github/workflows/run-express-tests.yml b/.github/workflows/run-express-tests.yml index 5f2fdd4..42f1962 100644 --- a/.github/workflows/run-express-tests.yml +++ b/.github/workflows/run-express-tests.yml @@ -12,6 +12,10 @@ on: paths: - 'mflix/server/js-express/**' +permissions: + contents: read + actions: write + jobs: test: name: Run Express Tests diff --git a/.github/workflows/run-java-spring-boot-tests.yml b/.github/workflows/run-java-spring-boot-tests.yml index 2709569..d3f9024 100644 --- a/.github/workflows/run-java-spring-boot-tests.yml +++ b/.github/workflows/run-java-spring-boot-tests.yml @@ -12,6 +12,10 @@ on: paths: - 'mflix/server/java-spring/**' +permissions: + contents: read + actions: write + jobs: test: name: Run Java Spring Boot Tests diff --git a/.github/workflows/run-python-tests.yml b/.github/workflows/run-python-tests.yml index 4568fa9..3de10d0 100644 --- a/.github/workflows/run-python-tests.yml +++ b/.github/workflows/run-python-tests.yml @@ -12,6 +12,10 @@ on: paths: - 'mflix/server/python-fastapi/**' +permissions: + contents: read + actions: write + jobs: test: name: Run Python Tests diff --git a/.github/workflows/run-tanstack-tests.yml b/.github/workflows/run-tanstack-tests.yml index 8685980..5782256 100644 --- a/.github/workflows/run-tanstack-tests.yml +++ b/.github/workflows/run-tanstack-tests.yml @@ -14,6 +14,10 @@ on: paths: - 'frameworks/javascript/tanstack/**' +permissions: + contents: read + actions: write + jobs: test: name: Run TanStack Tests From 1940d787425256f08287d92e0ae6bc60ca78fc36 Mon Sep 17 00:00:00 2001 From: Cory Bullinger Date: Mon, 8 Jun 2026 07:02:39 -0400 Subject: [PATCH 2/4] chore(ci): drop unnecessary actions: write from test workflows upload-artifact@v4 authenticates via ACTIONS_RUNTIME_TOKEN, not GITHUB_TOKEN actions: write. Keep contents: read only per review. Co-authored-by: Cursor --- .github/workflows/run-express-tests.yml | 1 - .github/workflows/run-java-spring-boot-tests.yml | 1 - .github/workflows/run-python-tests.yml | 1 - .github/workflows/run-tanstack-tests.yml | 1 - 4 files changed, 4 deletions(-) diff --git a/.github/workflows/run-express-tests.yml b/.github/workflows/run-express-tests.yml index 42f1962..2fe93b5 100644 --- a/.github/workflows/run-express-tests.yml +++ b/.github/workflows/run-express-tests.yml @@ -14,7 +14,6 @@ on: permissions: contents: read - actions: write jobs: test: diff --git a/.github/workflows/run-java-spring-boot-tests.yml b/.github/workflows/run-java-spring-boot-tests.yml index d3f9024..d319e6b 100644 --- a/.github/workflows/run-java-spring-boot-tests.yml +++ b/.github/workflows/run-java-spring-boot-tests.yml @@ -14,7 +14,6 @@ on: permissions: contents: read - actions: write jobs: test: diff --git a/.github/workflows/run-python-tests.yml b/.github/workflows/run-python-tests.yml index 3de10d0..be9b554 100644 --- a/.github/workflows/run-python-tests.yml +++ b/.github/workflows/run-python-tests.yml @@ -14,7 +14,6 @@ on: permissions: contents: read - actions: write jobs: test: diff --git a/.github/workflows/run-tanstack-tests.yml b/.github/workflows/run-tanstack-tests.yml index 5782256..87c40fe 100644 --- a/.github/workflows/run-tanstack-tests.yml +++ b/.github/workflows/run-tanstack-tests.yml @@ -16,7 +16,6 @@ on: permissions: contents: read - actions: write jobs: test: From 505eb4415dcf197be94efc46c3d675f96eb3465f Mon Sep 17 00:00:00 2001 From: Cory Bullinger Date: Mon, 8 Jun 2026 07:03:47 -0400 Subject: [PATCH 3/4] chore(ci): add workflow to verify artifact upload permissions Minimal checkout + upload-artifact job with contents: read only to confirm actions: write is unnecessary. Remove after PR #116 merges. Co-authored-by: Cursor --- .../workflows/verify-artifact-permissions.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/verify-artifact-permissions.yml diff --git a/.github/workflows/verify-artifact-permissions.yml b/.github/workflows/verify-artifact-permissions.yml new file mode 100644 index 0000000..bea8194 --- /dev/null +++ b/.github/workflows/verify-artifact-permissions.yml @@ -0,0 +1,30 @@ +# Temporary workflow to verify upload-artifact@v4 works with contents: read only. +# Delete after PR #116 merges and artifact upload is confirmed. +name: Verify Artifact Upload Permissions + +on: + workflow_dispatch: + push: + branches: + - chore/workflow-permissions + +permissions: + contents: read + +jobs: + verify-upload: + name: Upload artifact with contents read only + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v5 + + - name: Create test artifact + run: echo "artifact upload permissions check" > permissions-check.txt + + - name: Upload artifact + uses: actions/upload-artifact@v4 + with: + name: permissions-check + path: permissions-check.txt + retention-days: 1 From 20ae2dffe9adf24fcf629ad71af209e895d1c42b Mon Sep 17 00:00:00 2001 From: Cory Bullinger Date: Mon, 8 Jun 2026 07:08:40 -0400 Subject: [PATCH 4/4] chore(ci): remove temporary artifact permissions verification workflow Verified upload-artifact@v4 succeeds with contents: read only (run 27133317095). No need to keep the throwaway workflow in the repo. Co-authored-by: Cursor --- .../workflows/verify-artifact-permissions.yml | 30 ------------------- 1 file changed, 30 deletions(-) delete mode 100644 .github/workflows/verify-artifact-permissions.yml diff --git a/.github/workflows/verify-artifact-permissions.yml b/.github/workflows/verify-artifact-permissions.yml deleted file mode 100644 index bea8194..0000000 --- a/.github/workflows/verify-artifact-permissions.yml +++ /dev/null @@ -1,30 +0,0 @@ -# Temporary workflow to verify upload-artifact@v4 works with contents: read only. -# Delete after PR #116 merges and artifact upload is confirmed. -name: Verify Artifact Upload Permissions - -on: - workflow_dispatch: - push: - branches: - - chore/workflow-permissions - -permissions: - contents: read - -jobs: - verify-upload: - name: Upload artifact with contents read only - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v5 - - - name: Create test artifact - run: echo "artifact upload permissions check" > permissions-check.txt - - - name: Upload artifact - uses: actions/upload-artifact@v4 - with: - name: permissions-check - path: permissions-check.txt - retention-days: 1