Add explicit workflow permissions and pin Alpine package versions in Dockerfiles by ehsanking · Pull Request #110 · ehsanking/ElaheMessenger

ehsanking · 2026-04-06T10:56:53Z

Introduce explicit minimal permissions for GitHub Actions workflows to follow least-privilege practice and allow workflows to read repository contents.
Improve reproducibility and runtime stability of container builds by pinning Alpine package versions in Dockerfile and Dockerfile.prod.
Ensure the Defender workflow has the required job-level permissions for uploading results and reporting security events.

Added top-level permissions: contents: read to codeql.yml, defender-for-devops.yml, docker-image.yml, and npm-publish-github-packages.yml, and added job-level permissions (contents: read, security-events: write, actions: read) to the MSDO job in defender-for-devops.yml.
Updated Dockerfile and Dockerfile.prod to pin Alpine packages using globs (e.g. openssl=3.*, libc6-compat=1.*) and added pinned wget and su-exec where required, converting apk add invocations to a multi-line form.
Retained existing CodeQL job-level permissions and ensured security-events: write and packages: read remain present where needed.

chatgpt-codex-connector · 2026-04-06T10:56:57Z

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

ci(workflows): define explicit GITHUB_TOKEN permissions

5357c4f

ehsanking added the codex label Apr 6, 2026 — with ChatGPT Codex Connector

ehsanking merged commit 30a98e4 into main Apr 6, 2026
5 of 10 checks passed

Provide feedback