ci: use permissionless runner token by default

Runner token permissions should be explicitly declared at the job-level

Signed-off-by: Seth Flynn <getchoo@tuta.io>
This commit is contained in:
Seth Flynn 2026-02-02 16:57:38 -05:00
parent e0ad6a2b3b
commit add9e55493
No known key found for this signature in database
GPG key ID: D31BD0D494BBEE86
7 changed files with 30 additions and 9 deletions

View file

@ -8,8 +8,7 @@ on:
# the GitHub repository. This means that it should not evaluate user input in a # the GitHub repository. This means that it should not evaluate user input in a
# way that allows code injection. # way that allows code injection.
permissions: permissions: {}
contents: read
jobs: jobs:
backport: backport:

View file

@ -72,6 +72,8 @@ on:
type: string type: string
default: Debug default: Debug
permissions: {}
jobs: jobs:
build: build:
name: Build (${{ matrix.artifact-name }}) name: Build (${{ matrix.artifact-name }})
@ -79,6 +81,7 @@ jobs:
environment: ${{ inputs.environment || '' }} environment: ${{ inputs.environment || '' }}
permissions: permissions:
contents: read
# Required for Azure Trusted Signing # Required for Azure Trusted Signing
id-token: write id-token: write
# Required for vcpkg binary cache # Required for vcpkg binary cache

View file

@ -66,8 +66,7 @@ on:
- ".github/workflows/nix.yml" - ".github/workflows/nix.yml"
workflow_dispatch: workflow_dispatch:
permissions: permissions: {}
contents: read
env: env:
DEBUG: ${{ github.ref_type != 'tag' }} DEBUG: ${{ github.ref_type != 'tag' }}
@ -76,6 +75,9 @@ jobs:
build: build:
name: Build (${{ matrix.system }}) name: Build (${{ matrix.system }})
permissions:
contents: read
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:

View file

@ -4,13 +4,15 @@ on:
release: release:
types: [ released ] types: [ released ]
permissions: permissions: {}
contents: read
jobs: jobs:
winget: winget:
name: Winget name: Winget
permissions:
contents: read
runs-on: ubuntu-slim runs-on: ubuntu-slim
steps: steps:

View file

@ -5,10 +5,18 @@ on:
tags: tags:
- "*" - "*"
permissions: {}
jobs: jobs:
build_release: build_release:
name: Build Release name: Build Release
uses: ./.github/workflows/build.yml uses: ./.github/workflows/build.yml
permissions:
contents: read
# Required for Azure Trusted Signing
id-token: write
# Required for vcpkg binary cache
packages: write
with: with:
build-type: Release build-type: Release
environment: Release environment: Release
@ -16,6 +24,8 @@ jobs:
create_release: create_release:
needs: build_release needs: build_release
permissions:
contents: write
runs-on: ubuntu-slim runs-on: ubuntu-slim
outputs: outputs:
upload_url: ${{ steps.create_release.outputs.upload_url }} upload_url: ${{ steps.create_release.outputs.upload_url }}

View file

@ -6,6 +6,8 @@ on:
- cron: "0 0 * * 0" - cron: "0 0 * * 0"
workflow_dispatch: workflow_dispatch:
permissions: {}
jobs: jobs:
label: label:
name: Label issues and PRs name: Label issues and PRs

View file

@ -6,13 +6,16 @@ on:
- cron: "0 0 * * 0" - cron: "0 0 * * 0"
workflow_dispatch: workflow_dispatch:
permissions: permissions: {}
contents: write
pull-requests: write
jobs: jobs:
update-flake: update-flake:
if: github.repository == 'PrismLauncher/PrismLauncher' if: github.repository == 'PrismLauncher/PrismLauncher'
permissions:
contents: write
pull-requests: write
runs-on: ubuntu-slim runs-on: ubuntu-slim
steps: steps: