From 31201ab8dfb4197e445d0c86d861fb069c6d91df Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Wed, 25 Feb 2026 21:00:33 +0000
Subject: [PATCH] Add explicit permissions blocks to all workflows missing them

Add 'permissions: contents: read' to mobile-build, android-build,
desktop-build, rust-tests, and frontend-tests workflows.

This follows the principle of least privilege for the GITHUB_TOKEN,
limiting it to only read access which is sufficient for checkout,
caching, and upload-artifact operations. The remaining workflows
(claude, release, zapstore-publish, testflight-on-comment) already
had explicit permissions blocks.

Co-Authored-By: unknown <>
---
 .github/workflows/android-build.yml  | 5 ++++-
 .github/workflows/desktop-build.yml  | 3 +++
 .github/workflows/frontend-tests.yml | 3 +++
 .github/workflows/mobile-build.yml   | 5 ++++-
 .github/workflows/rust-tests.yml     | 3 +++
 5 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/android-build.yml b/.github/workflows/android-build.yml
index 5803d88e..4b16c5a6 100644
--- a/.github/workflows/android-build.yml
+++ b/.github/workflows/android-build.yml
@@ -1,5 +1,8 @@
 name: Android App CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ master ]
@@ -219,4 +222,4 @@ jobs:
           name: maple-android-aab
           path: |
             frontend/src-tauri/gen/android/app/build/outputs/bundle/universalRelease/app-universal-release.aab
-          retention-days: 5
\ No newline at end of file
+          retention-days: 5
diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml
index cca42d67..3764eb97 100644
--- a/.github/workflows/desktop-build.yml
+++ b/.github/workflows/desktop-build.yml
@@ -1,5 +1,8 @@
 name: Desktop App CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ master ]
diff --git a/.github/workflows/frontend-tests.yml b/.github/workflows/frontend-tests.yml
index cd8c0f98..e1e3a680 100644
--- a/.github/workflows/frontend-tests.yml
+++ b/.github/workflows/frontend-tests.yml
@@ -1,5 +1,8 @@
 name: Frontend Tests
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ master ]
diff --git a/.github/workflows/mobile-build.yml b/.github/workflows/mobile-build.yml
index accc127c..e340421a 100644
--- a/.github/workflows/mobile-build.yml
+++ b/.github/workflows/mobile-build.yml
@@ -1,5 +1,8 @@
 name: Mobile App CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ master ]
@@ -163,4 +166,4 @@ jobs:
           xcrun altool --upload-app --type ios \
             --file "$IPA_PATH" \
             --apiKey ${{ secrets.APPLE_API_KEY }} \
-            --apiIssuer ${{ secrets.APPLE_API_ISSUER }}
\ No newline at end of file
+            --apiIssuer ${{ secrets.APPLE_API_ISSUER }}
diff --git a/.github/workflows/rust-tests.yml b/.github/workflows/rust-tests.yml
index ca2d3d76..c1a5fdb1 100644
--- a/.github/workflows/rust-tests.yml
+++ b/.github/workflows/rust-tests.yml
@@ -1,5 +1,8 @@
 name: Rust Unit Tests
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ master ]