diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e3d07af..d1dcc98 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -27,10 +27,6 @@ jobs: codeql-analyze: name: CodeQL Analyze runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write strategy: fail-fast: false matrix: diff --git a/.github/workflows/frizbee.yml b/.github/workflows/frizbee.yml index 7e53d81..5d94205 100644 --- a/.github/workflows/frizbee.yml +++ b/.github/workflows/frizbee.yml @@ -6,8 +6,6 @@ jobs: frizbee: name: Check action pinning runs-on: ubuntu-latest - permissions: - contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/goCI.yml b/.github/workflows/goCI.yml index 15af049..29e9530 100644 --- a/.github/workflows/goCI.yml +++ b/.github/workflows/goCI.yml @@ -1,6 +1,3 @@ -permissions: - contents: read - on: workflow_call: inputs: @@ -123,10 +120,6 @@ jobs: codeql: if: inputs.run-codeql - permissions: - actions: read - contents: read - security-events: write uses: ./.github/workflows/codeql-analysis.yml with: goprivate: ${{ inputs.goprivate }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 2c6805c..5f70413 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -11,9 +11,6 @@ jobs: zizmor: name: Scan GitHub workflows runs-on: ubuntu-latest - permissions: - contents: read - security-events: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..29c44ad --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,6 @@ +rules: + excessive-permissions: + ignore: + # workflow_call-only: the caller controls the permission ceiling, + # so job-level permissions blocks are meaningless here. + - goCI.yml