chore(ci): apply least privilege permission to GitHub Actions

[yasnagat]

Proposed changes

This PR applies the principle of least privilege to GITHUB_TOKEN permissions across all GitHub Actions workflows by setting permissions: {} globally and explicitly re-granting only the minimum permissions required per job, as part of a supply chain security hardening effort.

Workflows relied on GitHub’s default token scopes, which may grant more access than most jobs actually need. Scoping permissions at the job level reduces the attack surface in the event that a GitHub Action, third-party dependency, or CI component is compromised, helping mitigate the impact of potential supply chain attacks and limiting unnecessary repository access.

Issue(s)

SB-975

How to test or reproduce

Screenshots

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• Improvement (non-breaking change which improves a current function)
• New feature (non-breaking change which adds functionality)
• Documentation update (if none of the other choices apply)

Checklist

• I have read the CONTRIBUTING doc
• I have signed the CLA
• Lint and unit tests pass locally with my changes
• I have added tests that prove my fix is effective or that my feature works (if applicable)
• I have added necessary documentation (if applicable)
• Any dependent changes have been merged and published in downstream modules

Further comments

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow permissions across build, test, and deployment pipelines to follow the principle of least privilege, restricting default permissions and explicitly granting only necessary access to each job for enhanced security.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 439ff77d-efde-41c4-a038-b4777207f376

📥 Commits

Reviewing files that changed from the base of the PR and between 41444f4 and fec6208.

📒 Files selected for processing (12)

• .github/workflows/build-android.yml
• .github/workflows/build-develop.yml
• .github/workflows/build-ios.yml
• .github/workflows/build-pr.yml
• .github/workflows/e2e-build-android.yml
• .github/workflows/e2e-build-ios.yml
• .github/workflows/eslint.yml
• .github/workflows/generate-changelog.yml
• .github/workflows/maestro-android.yml
• .github/workflows/maestro-ios.yml
• .github/workflows/organize_translations.yml
• .github/workflows/prettier.yml

📜 Recent review details

🧰 Additional context used

🪛 zizmor (1.25.2)

.github/workflows/build-pr.yml

[warning] 60-60: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

---

[warning] 84-84: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

🔇 Additional comments (20)

.github/workflows/build-android.yml (6)

11-11: LGTM!

---

17-17: LGTM!

---

26-27: LGTM!

---

65-65: LGTM!

---

77-79: LGTM!

---

97-99: LGTM!

.github/workflows/build-ios.yml (4)

11-11: LGTM!

---

17-17: LGTM!

---

26-27: LGTM!

---

66-68: LGTM!

.github/workflows/eslint.yml (1)

6-7: LGTM!

Also applies to: 11-12

.github/workflows/generate-changelog.yml (1)

6-7: LGTM!

Also applies to: 12-13

.github/workflows/maestro-android.yml (1)

10-11: LGTM!

Also applies to: 16-17

.github/workflows/maestro-ios.yml (1)

10-11: LGTM!

Also applies to: 15-16

.github/workflows/organize_translations.yml (1)

8-9: LGTM!

Also applies to: 13-14

.github/workflows/prettier.yml (1)

12-13: LGTM!

Also applies to: 18-19

.github/workflows/e2e-build-android.yml (1)

15-16: LGTM!

Also applies to: 20-21

.github/workflows/e2e-build-ios.yml (1)

23-24: LGTM!

Also applies to: 28-29

.github/workflows/build-develop.yml (1)

12-12: LGTM!

Also applies to: 18-19, 25-26, 32-33, 43-44

.github/workflows/build-pr.yml (1)

12-12: LGTM!

Also applies to: 18-19, 25-27, 37-39, 49-49, 58-59, 67-68, 82-83, 91-92

---

Walkthrough

This PR hardens GitHub Actions security across eleven workflow files by explicitly declaring minimal token permissions. All workflows now restrict default GitHub token access via permissions: {} at the workflow level and grant only the specific per-job permissions required (contents: read, contents: write, or pull-requests: write), replacing implicit defaults.

Changes

CI/CD Workflow Permissions

Layer / File(s)	Summary
Android build pipeline permissions .github/workflows/build-android.yml	Hold approval gates receive empty permissions: {}. Build jobs receive contents: read. Upload jobs receive contents: read and pull-requests: write for PR comments.
iOS build pipeline permissions .github/workflows/build-ios.yml	Hold approval gates receive empty permissions: {}. Build jobs receive contents: read. Upload jobs receive contents: read and pull-requests: write for PR interactions.
Build coordination workflows permissions .github/workflows/build-develop.yml, .github/workflows/build-pr.yml	Workflow-level permissions removed or restricted to empty default. ESLint/test, build-store, and E2E jobs each declare explicit contents: read or pull-requests: write based on their function (reusable workflows call sites in build-develop; interdependent job gates and store uploads in build-pr).
E2E test workflow permissions .github/workflows/e2e-build-android.yml, .github/workflows/e2e-build-ios.yml	Workflow-level and job-level permissions: {} paired with job-specific contents: read grants for artifact build steps.
Utility workflow permissions .github/workflows/eslint.yml, .github/workflows/generate-changelog.yml, .github/workflows/maestro-android.yml, .github/workflows/maestro-ios.yml, .github/workflows/organize_translations.yml, .github/workflows/prettier.yml	All add workflow-level permissions: {} defaults. ESLint, changelog, and Maestro jobs use contents: read. Translations and Prettier jobs use contents: write to enable commit/push operations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested labels

type: chore

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: applying least privilege permissions to GitHub Actions workflows across all files in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• SB-975: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}