From 9ca0f385c5c00146d7a65ecaadc82aaca9483aa4 Mon Sep 17 00:00:00 2001
From: gitclonebrian <235774926+gitclonebrian@users.noreply.github.com>
Date: Mon, 24 Nov 2025 21:17:54 -0500
Subject: [PATCH] [cd.yml] Implement least privilege for GitHub Actions
 permissions

- Add workflow-level permissions: {} to remove default GITHUB_TOKEN permissions
- Remove actions: write from deploy job (not used by GITHUB_TOKEN)
- Add permission-actions: write to GitHub App token for workflow dispatch
---
 .github/workflows/cd.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index ca9c9f0..dd97c64 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -8,6 +8,8 @@ on:
     types:
       - published
 
+permissions: {}
+
 jobs:
   format:
     name: Format
@@ -40,7 +42,6 @@ jobs:
     runs-on: ubuntu-24.04
 
     permissions:
-      actions: write
       contents: read
       id-token: write
 
@@ -94,6 +95,7 @@ jobs:
           private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
           owner: bitwarden
           repositories: passwordless-devops
+          permission-actions: write # for running workflows in other repos
 
       - name: Dispatch deployment
         env: