ci: set default permissions for workflows

The default workflow permissions are overly broad; setting permissions explicitly at the workflow level ensures excessive permissions are not unintentionally granted to jobs. For details, see: https://docs.zizmor.sh/audits/#excessive-permissions
2026-03-28 03:12:00 +00:00 · 2026-03-07 10:05:39 -05:00
parent 63844b7904
commit 755087f8ef
20 changed files with 57 additions and 0 deletions
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -2,6 +2,9 @@ name: backport
 on:
  pull_request_target:
    types: [closed, labeled]
+
+permissions: {}
+
 jobs:
  backport:
    permissions:
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,6 +12,9 @@ on:
      - '.github/**'
  workflow_dispatch:

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
--- a/.github/workflows/build_dummy.yml
+++ b/.github/workflows/build_dummy.yml
@@ -14,6 +14,8 @@ on:
      - 'cmake.*/**'
      - '.github/**'

+permissions: {}
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -12,6 +12,8 @@ on:
    branches: [ "master" ]
  workflow_dispatch:

+permissions: {}
+
 jobs:
  analyze:
    name: Analyze
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -4,6 +4,9 @@ on:
    - cron: '10 0 * * *'  # Run every day at 00:10
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  scan:
    runs-on: ubuntu-latest
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -2,6 +2,9 @@ name: docs
 on:
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions: {}
+
 jobs:
  docs:
    runs-on: ubuntu-latest
--- a/.github/workflows/labeler_issue.yml
+++ b/.github/workflows/labeler_issue.yml
@@ -2,6 +2,9 @@ name: "labeler: issue"
 on:
  issues:
    types: [opened]
+
+permissions: {}
+
 jobs:
  labeler:
    permissions:
--- a/.github/workflows/labeler_pr.yml
+++ b/.github/workflows/labeler_pr.yml
@@ -2,6 +2,9 @@ name: "labeler: PR"
 on:
  pull_request_target:
    types: [opened]
+
+permissions: {}
+
 jobs:
  changed-files:
    runs-on: ubuntu-latest
--- a/.github/workflows/lintcommit.yml
+++ b/.github/workflows/lintcommit.yml
@@ -4,6 +4,10 @@ on:
    types: [opened, synchronize, reopened, ready_for_review]
    branches:
      - 'master'
+
+permissions:
+  contents: read
+
 jobs:
  lint-commits:
    runs-on: ubuntu-latest
--- a/.github/workflows/lintcommit_dummy.yml
+++ b/.github/workflows/lintcommit_dummy.yml
@@ -8,6 +8,9 @@ on:
    types: [opened, synchronize, reopened, ready_for_review]
    branches:
      - 'release-[0-9]+.[0-9]+'
+
+permissions: {}
+
 jobs:
  lint-commits:
    runs-on: ubuntu-latest
--- a/.github/workflows/lintdocurls.yml
+++ b/.github/workflows/lintdocurls.yml
@@ -4,6 +4,8 @@ on:
    - cron: '22 22 * * 5'
  workflow_dispatch:

+permissions: {}
+
 jobs:
  check-unreachable-urls:
    runs-on: ubuntu-latest
--- a/.github/workflows/news.yml
+++ b/.github/workflows/news.yml
@@ -4,6 +4,10 @@ on:
    types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
    branches:
    - 'master'
+
+permissions:
+  contents: read
+
 jobs:
  check:
    runs-on: ubuntu-latest
--- a/.github/workflows/optional.yml
+++ b/.github/workflows/optional.yml
@@ -4,6 +4,9 @@ on:
    types: [labeled, opened, synchronize, reopened]
  workflow_dispatch:

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,9 @@ on:
    tags:
      - v[0-9]+.[0-9]+.[0-9]+

+permissions:
+  contents: read
+
 # Build on the oldest supported images, so we have broader compatibility
 jobs:
  setup:
--- a/.github/workflows/response.yml
+++ b/.github/workflows/response.yml
@@ -5,6 +5,8 @@ on:
  workflow_dispatch:
  issue_comment:

+permissions: {}
+
 jobs:
  close:
    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
--- a/.github/workflows/reviewers_add.yml
+++ b/.github/workflows/reviewers_add.yml
@@ -3,6 +3,9 @@ on:
  pull_request_target:
    types: [labeled, ready_for_review, reopened]
  workflow_call:
+
+permissions: {}
+
 jobs:
  request-reviewer:
    if: github.event.pull_request.state == 'open' && github.event.pull_request.draft == false && !endsWith(github.actor, '[bot]')
--- a/.github/workflows/reviewers_remove.yml
+++ b/.github/workflows/reviewers_remove.yml
@@ -2,6 +2,9 @@ name: "reviewers: remove"
 on:
  pull_request_target:
    types: [converted_to_draft, closed]
+
+permissions: {}
+
 jobs:
  remove-reviewers:
    runs-on: ubuntu-latest
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,6 +10,9 @@ on:
      - 'release-[0-9]+.[0-9]+'
  workflow_dispatch:

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
--- a/.github/workflows/test_windows.yml
+++ b/.github/workflows/test_windows.yml
@@ -9,6 +9,9 @@ on:
        type: number
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  windows:
    runs-on: windows-2025
--- a/.github/workflows/vim_patches.yml
+++ b/.github/workflows/vim_patches.yml
@@ -4,6 +4,8 @@ on:
    - cron: '3 3 * * *'
  workflow_dispatch:

+permissions: {}
+
 jobs:
  update-vim-patches:
    runs-on: ubuntu-latest