From bf81f21d85bb7b324ce23147e67191e1ebfe019c Mon Sep 17 00:00:00 2001 From: Daniel Baker Date: Mon, 6 Jul 2026 08:04:30 -0700 Subject: [PATCH 1/2] ci: scope check.yml token to contents: read Replace permissions: read-all with the minimal contents: read. The three jobs that inherit the top-level default (format, build-the-world, branding-guide-changelog) only need to read the repo; the two jobs that need more (compare-artifacts-build, compare-artifacts-comment) already declare their own permissions blocks. Clears a zizmor excessive-permissions finding. --- .github/workflows/check.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 01fdce3..e3f9d5e 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -19,7 +19,8 @@ concurrency: group: check-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: format: From 7fbfb84f17349e0c0bf6694ca5deb55d8edaddf6 Mon Sep 17 00:00:00 2001 From: Daniel Baker Date: Mon, 6 Jul 2026 08:04:31 -0700 Subject: [PATCH 2/2] ci: scope release-guide and netlify token permissions per job Drop the workflow-wide contents: write in release-guide.yml (top-level permissions: {}) and grant the minimum per job: release gets contents: write for gh release create; the reusable-workflow callers grant the ceiling their callees need -- check (contents: read), release-npm-package (id-token: write for OIDC + contents: read), and deploy (contents/statuses/deployments: write for the Netlify commit-comment, commit-status, and GitHub-deployment integrations). Add the matching permissions block to netlify-deploy.yml so it is explicit on both the release and manual paths. Per GitHub's model a reusable workflow's token is set by the caller and can only be reduced, so id-token: write must sit on the calling job. Clears the remaining zizmor excessive-permissions findings. --- .github/workflows/netlify-deploy.yml | 5 +++++ .github/workflows/release-guide.yml | 14 ++++++++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/.github/workflows/netlify-deploy.yml b/.github/workflows/netlify-deploy.yml index b7b082d..bff7fcd 100644 --- a/.github/workflows/netlify-deploy.yml +++ b/.github/workflows/netlify-deploy.yml @@ -5,6 +5,11 @@ on: workflow_call: workflow_dispatch: +permissions: + contents: write + statuses: write + deployments: write + jobs: deploy: runs-on: ubuntu-latest diff --git a/.github/workflows/release-guide.yml b/.github/workflows/release-guide.yml index 73676af..8df50cf 100644 --- a/.github/workflows/release-guide.yml +++ b/.github/workflows/release-guide.yml @@ -6,16 +6,19 @@ on: tags: - "nixos-branding-guide-v*.*.*" -permissions: - contents: write +permissions: {} jobs: check: uses: ./.github/workflows/check.yml + permissions: + contents: read release: needs: check runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -80,7 +83,14 @@ jobs: deploy: uses: ./.github/workflows/netlify-deploy.yml needs: release + permissions: + contents: write + statuses: write + deployments: write release-npm-package: uses: ./.github/workflows/release-npm-package.yaml needs: release + permissions: + id-token: write + contents: read