From 678b270829eb1bf51a88c3bb6ac3a58505906ff9 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Tue, 3 Mar 2026 07:11:30 -0800
Subject: [PATCH] Remove job-level permissions from workflow_call-only
 workflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Job-level permissions blocks in workflow_call-only workflows cannot
escalate permissions beyond the caller's grant — they can only restrict.
When a caller sets restrictive top-level permissions (e.g. contents: read),
GitHub's static parse-time validation fails the entire workflow with
startup_failure if any nested job declares permissions exceeding the
caller's grant, even for jobs guarded by `if:` conditions.

Remove permissions blocks from:
- goCI.yml: top-level permissions and codeql job permissions
- zizmor.yml: zizmor job permissions
- codeql-analysis.yml: codeql-analyze job permissions
- frizbee.yml: frizbee job permissions

Add .github/zizmor.yml config to suppress the resulting
excessive-permissions findings for goCI.yml, consistent with the
convention used in other repos.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/codeql-analysis.yml | 4 ----
 .github/workflows/frizbee.yml         | 2 --
 .github/workflows/goCI.yml            | 7 -------
 .github/workflows/zizmor.yml          | 3 ---
 .github/zizmor.yml                    | 6 ++++++
 5 files changed, 6 insertions(+), 16 deletions(-)
 create mode 100644 .github/zizmor.yml

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index e3d07af..d1dcc98 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -27,10 +27,6 @@ jobs:
   codeql-analyze:
     name: CodeQL Analyze
     runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/frizbee.yml b/.github/workflows/frizbee.yml
index 7e53d81..5d94205 100644
--- a/.github/workflows/frizbee.yml
+++ b/.github/workflows/frizbee.yml
@@ -6,8 +6,6 @@ jobs:
   frizbee:
     name: Check action pinning
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
diff --git a/.github/workflows/goCI.yml b/.github/workflows/goCI.yml
index 15af049..29e9530 100644
--- a/.github/workflows/goCI.yml
+++ b/.github/workflows/goCI.yml
@@ -1,6 +1,3 @@
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -123,10 +120,6 @@ jobs:
 
   codeql:
     if: inputs.run-codeql
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
     uses: ./.github/workflows/codeql-analysis.yml
     with:
       goprivate: ${{ inputs.goprivate }}
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 2c6805c..5f70413 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -11,9 +11,6 @@ jobs:
   zizmor:
     name: Scan GitHub workflows
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      security-events: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..29c44ad
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,6 @@
+rules:
+  excessive-permissions:
+    ignore:
+      # workflow_call-only: the caller controls the permission ceiling,
+      # so job-level permissions blocks are meaningless here.
+      - goCI.yml