From b79d6bb2f05e43647072293a3e0a5a69109fc62f Mon Sep 17 00:00:00 2001 From: Alex Wichmann Date: Mon, 8 Jun 2026 08:27:17 +0200 Subject: [PATCH 1/2] feat: add Obfuscan workflow for pull requests Adds a new job named Obfuscan to the CI workflow to scan the pull request diff using the ByteBardOrg/obfuscan-action. This job runs only when a pull request is opened, and it uses the head SHA of the pull request to check for potential issues in the code changes before the main build proceeds. --- .github/workflows/ci.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5b00e7d..a022c78 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,6 +14,23 @@ on: - '!**/*.md' workflow_dispatch: jobs: + obfuscan: + if: github.event_name == 'pull_request' + name: Obfuscan + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + issues: write + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Scan PR diff + uses: ByteBardOrg/obfuscan-action@v1 + with: + fail-on: block + build: runs-on: ${{ matrix.os }} From 2716d162209a65b3b78151d6ee8980485d458adc Mon Sep 17 00:00:00 2001 From: Alex Wichmann Date: Mon, 8 Jun 2026 09:04:56 +0200 Subject: [PATCH 2/2] Potential fix for code scanning alert no. 4: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Alex Wichmann --- .github/workflows/pr-title-lint.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pr-title-lint.yml b/.github/workflows/pr-title-lint.yml index abe0796..4858b42 100644 --- a/.github/workflows/pr-title-lint.yml +++ b/.github/workflows/pr-title-lint.yml @@ -4,6 +4,10 @@ on: pull_request_target: types: [opened, reopened, synchronize, edited, ready_for_review] +permissions: + contents: read + pull-requests: write + jobs: lint-pr-title: name: Lint PR title