From f8b3a65d2a5298be7f9de2d8ee421a64dff8d4a1 Mon Sep 17 00:00:00 2001
From: "liudmyla.burkan" <liudmyla.burkan@leanix.net>
Date: Thu, 28 May 2026 19:28:51 +0200
Subject: [PATCH] DEVX-773: (AI GENERATED) add explicit permissions to workflow
 jobs

Adds minimal required permissions block to comply with least-privilege
principle. GitHub Actions defaults to broad permissions when none are
specified.
---
 .github/workflows/gradle-build.yml                      | 4 ++++
 .github/workflows/leanix-github-agent-code-coverage.yml | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/gradle-build.yml b/.github/workflows/gradle-build.yml
index 85f13f3..c069bcb 100644
--- a/.github/workflows/gradle-build.yml
+++ b/.github/workflows/gradle-build.yml
@@ -12,6 +12,7 @@ jobs:
   validation:
     name: Branch name validation
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - name: Check branch name
         run: |
@@ -29,6 +30,9 @@ jobs:
     name: Build and test
     needs: validation
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
diff --git a/.github/workflows/leanix-github-agent-code-coverage.yml b/.github/workflows/leanix-github-agent-code-coverage.yml
index af5005c..60b027b 100644
--- a/.github/workflows/leanix-github-agent-code-coverage.yml
+++ b/.github/workflows/leanix-github-agent-code-coverage.yml
@@ -13,6 +13,10 @@ jobs:
   leanix-github-agent-connector-ci:
     name: Build and test LeanIX GitHub Agent
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3