From 7aa25f5535c8545d3c7796622b7c5da6cf7b5f55 Mon Sep 17 00:00:00 2001
From: Eric Fornaciari <eric.fornaciari@smartcontract.com>
Date: Fri, 20 Feb 2026 10:12:30 -0800
Subject: [PATCH 1/2] fix(security): add explicit workflow permissions

Resolves CodeQL actions/missing-workflow-permissions alerts.
Adds explicit permissions blocks to all workflow YAML files.
---
 .github/workflows/changesets.yml                    | 5 +++++
 .github/workflows/contracts.yml                     | 3 +++
 .github/workflows/examples.yml                      | 3 +++
 .github/workflows/golangci-lint.yml                 | 3 +++
 .github/workflows/integration-tests-publish.yml     | 3 +++
 .github/workflows/integration-tests-smoke.yml       | 3 +++
 .github/workflows/integration-tests-soak.yml        | 3 +++
 .github/workflows/integration_gauntlet.yml          | 3 +++
 .github/workflows/lint.yml                          | 3 +++
 .github/workflows/monitoring-build-push-ecr.yml     | 3 +++
 .github/workflows/relayer.yml                       | 3 +++
 .github/workflows/release/starknet-gauntlet-cli.yml | 5 +++++
 .github/workflows/release/starknet-relayer.yml      | 5 +++++
 .github/workflows/sonar-scan.yml                    | 3 +++
 .github/workflows/static-analysis.yml               | 3 +++
 15 files changed, 51 insertions(+)

diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml
index e5ba7b98..9c0a4ade 100644
--- a/.github/workflows/changesets.yml
+++ b/.github/workflows/changesets.yml
@@ -5,6 +5,11 @@ on:
     branches:
       - main
 
+permissions:
+  contents: write
+  pull-requests: write
+  actions: write
+
 jobs:
   changesets:
     name: Changesets
diff --git a/.github/workflows/contracts.yml b/.github/workflows/contracts.yml
index 997e3bbc..0c8d5f87 100644
--- a/.github/workflows/contracts.yml
+++ b/.github/workflows/contracts.yml
@@ -7,6 +7,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   contracts_run_ts_tests:
     name: Run Typescript Tests
diff --git a/.github/workflows/examples.yml b/.github/workflows/examples.yml
index 200364d3..354f1124 100644
--- a/.github/workflows/examples.yml
+++ b/.github/workflows/examples.yml
@@ -7,6 +7,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   run_examples_tests:
     name: Run Tests
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 94f4e2f4..6dc42ba6 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -3,6 +3,9 @@ name: golangci_lint
 on:
   push:
 
+permissions:
+  contents: read
+
 jobs:
   golangci-lint-version:
     name: Get golangci-lint version to from nix
diff --git a/.github/workflows/integration-tests-publish.yml b/.github/workflows/integration-tests-publish.yml
index 03968bf0..efed3852 100644
--- a/.github/workflows/integration-tests-publish.yml
+++ b/.github/workflows/integration-tests-publish.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - develop
 
+permissions:
+  contents: read
+
 env:
   ECR_TAG: ${{ secrets.QA_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.QA_AWS_REGION }}.amazonaws.com/chainlink-starknet-tests:develop
 
diff --git a/.github/workflows/integration-tests-smoke.yml b/.github/workflows/integration-tests-smoke.yml
index 009307d9..f82f6875 100644
--- a/.github/workflows/integration-tests-smoke.yml
+++ b/.github/workflows/integration-tests-smoke.yml
@@ -19,6 +19,9 @@ concurrency:
   group: integration-tests-starknet-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 env:
   # for PR builds, ${{ github.sha }} is the temporary merge commit, we want the head commit instead
   SN_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
diff --git a/.github/workflows/integration-tests-soak.yml b/.github/workflows/integration-tests-soak.yml
index 1825c558..b18b9f64 100644
--- a/.github/workflows/integration-tests-soak.yml
+++ b/.github/workflows/integration-tests-soak.yml
@@ -20,6 +20,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 env:
   TEST_LOG_LEVEL: debug
   CL_ECR: ${{ secrets.QA_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.QA_AWS_REGION }}.amazonaws.com/chainlink
diff --git a/.github/workflows/integration_gauntlet.yml b/.github/workflows/integration_gauntlet.yml
index 3ebd2f60..5cf8d32c 100644
--- a/.github/workflows/integration_gauntlet.yml
+++ b/.github/workflows/integration_gauntlet.yml
@@ -7,6 +7,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   gauntlet_eslint:
     name: Gauntlet ESLint
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 976cfa23..b7d5fcd3 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -7,6 +7,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   lint_format_check:
     name: Format Check
diff --git a/.github/workflows/monitoring-build-push-ecr.yml b/.github/workflows/monitoring-build-push-ecr.yml
index ffe9c7bf..8aefc4e2 100644
--- a/.github/workflows/monitoring-build-push-ecr.yml
+++ b/.github/workflows/monitoring-build-push-ecr.yml
@@ -8,6 +8,9 @@ on:
       - monitoring/**
       - relayer/**
 
+permissions:
+  contents: read
+
 jobs:
   build-and-publish-monitoring:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/relayer.yml b/.github/workflows/relayer.yml
index d4d7a1e9..188a6100 100644
--- a/.github/workflows/relayer.yml
+++ b/.github/workflows/relayer.yml
@@ -7,6 +7,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   relayer_run_unit_tests:
     name: Run Unit Tests ${{ matrix.test-type.name }}
diff --git a/.github/workflows/release/starknet-gauntlet-cli.yml b/.github/workflows/release/starknet-gauntlet-cli.yml
index 936da0bb..a7f306e4 100644
--- a/.github/workflows/release/starknet-gauntlet-cli.yml
+++ b/.github/workflows/release/starknet-gauntlet-cli.yml
@@ -3,10 +3,15 @@ name: Starknet Gauntlet CLI Release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   starknet-gauntlet-cli-release:
     name: Starknet Gauntlet CLI Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       # Checkout this repository
       - name: Checkout Repo
diff --git a/.github/workflows/release/starknet-relayer.yml b/.github/workflows/release/starknet-relayer.yml
index 170ec485..75742032 100644
--- a/.github/workflows/release/starknet-relayer.yml
+++ b/.github/workflows/release/starknet-relayer.yml
@@ -3,10 +3,15 @@ name: Starknet Relayer Release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   starknet-relayer-release:
     name: Release Starknet Relayer
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       # Checkout this repository
       - name: Checkout Repo
diff --git a/.github/workflows/sonar-scan.yml b/.github/workflows/sonar-scan.yml
index e13d6f1f..9c4a00f3 100644
--- a/.github/workflows/sonar-scan.yml
+++ b/.github/workflows/sonar-scan.yml
@@ -3,6 +3,9 @@ name: SonarQube Scan
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   wait_for_workflows:
     name: Wait for workflows
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
index aaeaf9e6..a9a22902 100644
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -7,6 +7,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   zizmor_analyzer:
     name: Zizmor

From 63d6784a4ebaa0561ae47c8749dcc03fb006addb Mon Sep 17 00:00:00 2001
From: Eric Fornaciari <eric.fornaciari@smartcontract.com>
Date: Fri, 20 Feb 2026 10:19:22 -0800
Subject: [PATCH 2/2] fix(security): move write permissions to job level in
 changesets.yml

---
 .github/workflows/changesets.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml
index 9c0a4ade..93c846ad 100644
--- a/.github/workflows/changesets.yml
+++ b/.github/workflows/changesets.yml
@@ -6,14 +6,16 @@ on:
       - main
 
 permissions:
-  contents: write
-  pull-requests: write
-  actions: write
+  contents: read
 
 jobs:
   changesets:
     name: Changesets
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: write
     steps:
       # Checkout this repository
       - name: Checkout Repo