ci: fix overly broad permissions reported by zizmor (#8611)

https://woodruffw.github.io/zizmor/audits/#excessive-permissions
oxc-project · Jan 20, 2025 · a78a72f · a78a72f
1 parent 11f33af
commit a78a72f
Show file tree

Hide file tree

Showing 25 changed files with 57 additions and 12 deletions.
diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml
@@ -1,5 +1,7 @@
 name: autofix.ci # For security reasons, the workflow in which the autofix.ci action is used must be named "autofix.ci".
 
+permissions: {}
+
 on:
   pull_request:
     types: [opened, synchronize]

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -13,6 +13,8 @@
 
 name: Benchmark
 
+permissions: {}
+
 on:
   workflow_dispatch:
   pull_request:

diff --git a/.github/workflows/bloat.yml b/.github/workflows/bloat.yml
@@ -2,6 +2,8 @@
 
 name: Cargo Bloat
 
+permissions: {}
+
 on:
   workflow_dispatch:
 

diff --git a/.github/workflows/cargo_llvm_lines.yml b/.github/workflows/cargo_llvm_lines.yml
@@ -2,6 +2,8 @@
 
 name: Cargo LLVM Lines
 
+permissions: {}
+
 on:
   workflow_dispatch:
 

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,5 +1,7 @@
 name: CI
 
+permissions: {}
+
 on:
   workflow_dispatch:
   pull_request:

diff --git a/.github/workflows/ci_security.yml b/.github/workflows/ci_security.yml
@@ -1,5 +1,7 @@
 name: GitHub Actions Security Analysis
 
+permissions: {}
+
 on:
   workflow_dispatch:
   pull_request:
@@ -20,10 +22,7 @@ jobs:
     permissions:
       security-events: write
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+      - uses: taiki-e/checkout-action@b13d20b7cda4e2f325ef19895128f7ff735c0b3d # v1.3.1
 
       - uses: taiki-e/install-action@a7adeb15af2926b0ac7478ad165047cd2d8ba350 # v2.47.18
         with:

diff --git a/.github/workflows/ci_vscode.yml b/.github/workflows/ci_vscode.yml
@@ -1,5 +1,7 @@
 name: CI VSCode
 
+permissions: {}
+
 on:
   workflow_dispatch:
   pull_request:

diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
@@ -2,6 +2,8 @@
 
 name: Code Coverage
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:

diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml
@@ -1,5 +1,7 @@
 name: Cargo Deny
 
+permissions: {}
+
 on:
   workflow_dispatch:
   pull_request:

diff --git a/.github/workflows/link_check.yml b/.github/workflows/link_check.yml
@@ -1,5 +1,7 @@
 name: Check Links
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:

diff --git a/.github/workflows/lint_rules.yml b/.github/workflows/lint_rules.yml
@@ -1,5 +1,7 @@
 name: Update implementation status of all linter plugins
 
+permissions: {}
+
 on:
   push:
     branches:
@@ -13,6 +15,9 @@ on:
 jobs:
   lint_rules:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     steps:
       - name: Checkout Branch
         uses: taiki-e/checkout-action@b13d20b7cda4e2f325ef19895128f7ff735c0b3d # v1.3.1

diff --git a/.github/workflows/miri.yml b/.github/workflows/miri.yml
@@ -1,5 +1,7 @@
 name: Miri
 
+permissions: {}
+
 on:
   workflow_dispatch:
   pull_request:

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -1,5 +1,7 @@
 name: Check PR
 
+permissions: {}
+
 on:
   pull_request_target: # zizmor: ignore[dangerous-triggers]
     types:
@@ -27,12 +29,6 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           requireScope: true
-          disallowScopes: |
-            build
-            chore
-            ci
-            release
-            revert
           types: |
             build
             chore

diff --git a/.github/workflows/prepare_release_crates.yml b/.github/workflows/prepare_release_crates.yml
@@ -1,5 +1,7 @@
 name: Prepare Release Crates
 
+permissions: {}
+
 on:
   workflow_dispatch:
 
@@ -33,6 +35,9 @@ jobs:
     needs: prepare
     name: Trigger Monitor Oxc
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: taiki-e/checkout-action@b13d20b7cda4e2f325ef19895128f7ff735c0b3d # v1.3.1
 

diff --git a/.github/workflows/prepare_release_oxlint.yml b/.github/workflows/prepare_release_oxlint.yml
@@ -1,5 +1,7 @@
 name: Prepare Release Oxlint
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:

diff --git a/.github/workflows/release_crates.yml b/.github/workflows/release_crates.yml
@@ -1,5 +1,7 @@
 name: Release Crates
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:

diff --git a/.github/workflows/release_napi_minify.yml b/.github/workflows/release_napi_minify.yml
@@ -1,5 +1,7 @@
 name: Release NAPI Minify
 
+permissions: {}
+
 on:
   push:
     branches:

diff --git a/.github/workflows/release_napi_parser.yml b/.github/workflows/release_napi_parser.yml
@@ -1,5 +1,7 @@
 name: Release NAPI Parser
 
+permissions: {}
+
 on:
   push:
     branches:

diff --git a/.github/workflows/release_napi_transform.yml b/.github/workflows/release_napi_transform.yml
@@ -1,5 +1,7 @@
 name: Release NAPI Transform
 
+permissions: {}
+
 on:
   push:
     branches:

diff --git a/.github/workflows/release_oxlint.yml b/.github/workflows/release_oxlint.yml
@@ -1,5 +1,7 @@
 name: Release Oxlint
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:

diff --git a/.github/workflows/release_types.yml b/.github/workflows/release_types.yml
@@ -1,5 +1,7 @@
 name: Release @oxc-project/types
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:

diff --git a/.github/workflows/release_vscode.yml b/.github/workflows/release_vscode.yml
@@ -1,7 +1,7 @@
-# Reference: https://github.com/biomejs/biome/blob/main/.github/workflows/release_lsp.yml
-
 name: Release VSCode
 
+permissions: {}
+
 on:
   push:
     branches:

diff --git a/.github/workflows/release_wasm.yml b/.github/workflows/release_wasm.yml
@@ -1,5 +1,7 @@
 name: Release WASM
 
+permissions: {}
+
 on:
   workflow_dispatch:
   push:

diff --git a/.github/workflows/reusable_prepare_release.yml b/.github/workflows/reusable_prepare_release.yml
@@ -1,5 +1,7 @@
 name: Prepare Release
 
+permissions: {}
+
 on:
   workflow_call:
     inputs:

diff --git a/.github/workflows/reusable_release_napi.yml b/.github/workflows/reusable_release_napi.yml
@@ -1,5 +1,7 @@
 name: Release NAPI
 
+permissions: {}
+
 on:
   workflow_call:
     inputs:
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,6 +2,8 @@ @@
     name: Cargo Bloat
+    permissions: {}
     on:
       workflow_dispatch:
@@ Expand Down @@