openwallet-foundation · PatStLouis · Feb 24, 2026 · Feb 27, 2026 · Copilot · Feb 24, 2026
diff --git a/.github/actions/run-integration-tests/action.yml b/.github/actions/run-integration-tests/action.yml
@@ -19,10 +19,19 @@ runs:
   steps:
     - name: run-integration-tests-acapy
       # to run with external ledger and tails server run as follows (and remove the ledger and tails actions from the workflow):
-      # run: LEDGER_URL=https://test.bcovrin.vonx.io PUBLIC_TAILS_URL=https://tails.vonx.io ./run_bdd ${{ inputs.TEST_SCOPE }}
-      run: ./run_bdd ${{ inputs.TEST_SCOPE }}
+      # run: LEDGER_URL=... PUBLIC_TAILS_URL=... ./run_bdd $TEST_SCOPE
+      run: |
+        set -euo pipefail
+        if [ -n "${TEST_SCOPE-}" ]; then
+          # Split TEST_SCOPE on whitespace into an argv-safe array
+          read -r -a scope_args <<< "$TEST_SCOPE"
+          ./run_bdd "${scope_args[@]}"
+        else
+          ./run_bdd
+        fi
       shell: bash
       env:
+        TEST_SCOPE: ${{ inputs.TEST_SCOPE }}
         LEDGER_URL: ${{ inputs.IN_LEDGER_URL }}
         PUBLIC_TAILS_URL: ${{ inputs.IN_PUBLIC_TAILS_URL }}
         LOG_LEVEL: warning

diff --git a/.github/workflows/bdd-integration-tests.yml b/.github/workflows/bdd-integration-tests.yml
@@ -10,8 +10,6 @@ on:
     types: [opened, synchronize, reopened, ready_for_review]
 
 permissions:
-  contents: read
-  pull-requests: read
   checks: write
 
 concurrency:
@@ -25,6 +23,10 @@ defaults:
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     # Run on openwallet-foundation and non-draft PRs or on non-PR events
     if: (github.repository == 'openwallet-foundation/acapy') && ((github.event_name == 'pull_request' && github.event.pull_request.draft == false) || (github.event_name != 'pull_request'))
     outputs:

diff --git a/.github/workflows/bdd-interop-tests.yml b/.github/workflows/bdd-interop-tests.yml
@@ -9,11 +9,6 @@ on:
       - main
     types: [opened, synchronize, reopened, ready_for_review]
 
-permissions:
-  contents: read
-  pull-requests: read
-  checks: write
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -25,6 +20,10 @@ defaults:
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     # Run on openwallet-foundation and non-draft PRs or on non-PR events
     if: (github.repository == 'openwallet-foundation/acapy') && ((github.event_name == 'pull_request' && github.event.pull_request.draft == false) || (github.event_name != 'pull_request'))
     outputs:

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,21 +1,19 @@
 name: "Code scanning - action"
 
-"on":
+on:
   push:
   pull_request:
   schedule:
     - cron: "0 19 * * 0"
 
-permissions:
-  contents: read
-
 jobs:
   CodeQL-Build:
     # CodeQL runs on ubuntu-latest and windows-latest
     runs-on: ubuntu-latest
     if: (github.event_name == 'pull_request' && github.repository == 'openwallet-foundation/acapy') || (github.event_name != 'pull_request')
 
     permissions:
+      contents: read
       security-events: write
 
     steps:

diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
@@ -1,17 +1,16 @@
 name: Ruff Code Formatter and Linting Check
 
-"on":
+on:
   pull_request:
     branches:
       - main
 
-permissions:
-  contents: read
-  pull-requests: read
-  checks: write
-
 jobs:
   lint:
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     name: lint
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -5,15 +5,14 @@ on:
     - cron: "0 0 * * *"
   workflow_dispatch:
 
-permissions:
-  contents: read
-  pull-requests: read
-  checks: write
-
 jobs:
   tests:
     if: github.repository_owner == 'openwallet-foundation' || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     strategy:
       fail-fast: false
       matrix:
@@ -34,6 +33,9 @@ jobs:
   setup_and_check_pub:
     name: Setup Publish
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     outputs:
       commits_today: ${{ steps.commits.outputs.commits_today }}
       date: ${{ steps.date.outputs.date }}
@@ -61,6 +63,7 @@ jobs:
         tag: ["nightly-${{needs.setup_and_check_pub.outputs.date}}", nightly]
     permissions:
       contents: read
+      pull-requests: read
       packages: write
     with:
       tag: ${{ matrix.tag }}
diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml
@@ -3,12 +3,11 @@ name: pip-audit
 on:
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 jobs:
   selftest:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: (github.event_name == 'pull_request' && github.repository == 'openwallet-foundation/acapy') || (github.event_name != 'pull_request')
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml
@@ -3,18 +3,17 @@ name: PR Tests
 on:
   pull_request:
 
-permissions:
-  contents: read
-  pull-requests: read
-  checks: write
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
   tests:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     steps:
     - name: checkout
       uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
@@ -28,6 +27,10 @@ jobs:
   postgres-tests:
     name: PostgreSQL Integration Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     services:
       postgres:
         image: postgres:15-alpine

diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
@@ -7,9 +7,6 @@ on:
       - main
       - docs-v*
 
-permissions:
-  contents: read
-
 jobs:
   deploy:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -23,9 +23,6 @@ on:
         required: false
         type: string
 
-permissions:
-  contents: read
-
 jobs:
   build-image:
     strategy:

diff --git a/.github/workflows/pythonpublish.yml b/.github/workflows/pythonpublish.yml
@@ -4,16 +4,14 @@ on:
   release:
     types: [created]
 
-permissions:
-  contents: read
-
 jobs:
   deploy:
     runs-on: ubuntu-latest
     environment:
       name: pypi
       url: https://pypi.org/p/acapy-agent
     permissions:
+      contents: read
       id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

diff --git a/.github/workflows/scenario-integration-tests.yml b/.github/workflows/scenario-integration-tests.yml
@@ -9,11 +9,6 @@ on:
       - main
     types: [opened, synchronize, reopened, ready_for_review]
 
-permissions:
-  contents: read
-  pull-requests: read
-  checks: write
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -25,6 +20,10 @@ defaults:
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     # Run on openwallet-foundation and non-draft PRs or on non-PR events
     if: (github.repository == 'openwallet-foundation/acapy') && ((github.event_name == 'pull_request' && github.event.pull_request.draft == false) || (github.event_name != 'pull_request'))
     steps:

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -18,7 +18,9 @@ on:
     branches: [ "main" ]
 
 # Declare default permissions as read only.
-permissions: read-all
+permissions:
+  contents: read
+  actions: read
 
 jobs:
   analysis:

diff --git a/.github/workflows/snyk-lts.yml b/.github/workflows/snyk-lts.yml
@@ -11,9 +11,6 @@ on:
       - acapy_agent/**
       - docker/**
 
-permissions:
-  contents: read
-
 jobs:
   snyk:
     permissions:

diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -7,9 +7,6 @@ on:
       - acapy_agent/**
       - docker/**
 
-permissions:
-  contents: read
-
 jobs:
   snyk:
     permissions:

diff --git a/.github/workflows/sonar-merge-main.yml b/.github/workflows/sonar-merge-main.yml
@@ -4,12 +4,11 @@ on:
     branches:
       - main
 
-permissions:
-  contents: read
-  checks: write
-
 jobs:
   sonarcloud:
+    permissions:
+      contents: read
+      checks: write
     name: SonarCloud
     runs-on: ubuntu-latest
     if: github.repository == 'openwallet-foundation/acapy' && github.actor != 'dependabot[bot]'

diff --git a/.github/workflows/sonar-pr.yml b/.github/workflows/sonar-pr.yml
@@ -6,13 +6,12 @@ on:
     types: 
       - completed
 
-permissions:
-  contents: read
-  pull-requests: read
-  checks: write
-
 jobs:
   SonarCloud:
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     runs-on: ubuntu-latest
     if: github.event.workflow_run.conclusion == 'success' && github.repository == 'openwallet-foundation/acapy'
     steps:

diff --git a/.github/workflows/tag-recreate-lts.yml b/.github/workflows/tag-recreate-lts.yml
@@ -14,10 +14,6 @@ on:
         required: true
         type: string
 
-permissions:
-  contents: write
-  packages: write
-
 jobs:
   recreate-lts-release:
     # LTS versions are now configured in .github/lts-versions.txt
@@ -27,6 +23,8 @@ jobs:
       (github.event_name == 'workflow_dispatch')
     name: Recreate LTS Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     outputs:
       lts_tag: ${{ steps.set_outputs.outputs.lts_tag }}
       release_tag: ${{ steps.set_outputs.outputs.release_tag }}
@@ -230,6 +228,8 @@ jobs:
       needs.recreate-lts-release.outputs.lts_tag != '' && 
       needs.recreate-lts-release.outputs.release_tag != ''
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     strategy:
       matrix:
         python-version: ["3.12"]
-Original file line number
+Diff line change
@@ Expand Up / @@ -7,9 +7,6 @@ on: @@
           - main
           - docs-v*
-    permissions:
-      contents: read
     jobs:
       deploy:
         runs-on: ubuntu-latest
@@ Expand Down @@