fix more zizmor warnings

2025-12-19 19:00:18 +00:00 · 2025-10-19 01:30:32 -07:00
parent a750b0f6d1
commit 5bf17796d4
3 changed files with 7 additions and 12 deletions
--- a/.github/workflows/ci-actions.yaml
+++ b/.github/workflows/ci-actions.yaml
@@ -7,19 +7,16 @@ on:
    branches: ["**"]
 permissions:
-  contents: read
+  contents: read # Needed to checkout the repository.
 jobs:
  zizmor:
    name: zizmor
    runs-on: ubuntu-latest
    permissions:
-      # write is needed to upload security events to GitHub code scanning.
+      security-events: write # Needed to upload code scanning results.
-      security-events: write
+      contents: read # Needed to checkout the repository.
-      # we only need to read the contents of the repository.
+      actions: read # Needed to analyze action metadata.
      contents: read
      # we only need to read the action metadata.
      actions: read
    steps:
    - name: harden runner
      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
--- a/.github/workflows/ci-code.yaml
+++ b/.github/workflows/ci-code.yaml
@@ -9,8 +9,7 @@ on:
    - main
 permissions:
-  # we only need to read the contents of the repository.
+  contents: read # Needed to checkout the repository.
  contents: read
 jobs:
  rustfmt:
--- a/.github/workflows/release-assets.yaml
+++ b/.github/workflows/release-assets.yaml
@@ -6,14 +6,13 @@ on:
    - created
 permissions:
-  contents: read
+  contents: read # Needed to checkout the repository.
 jobs:
  assets:
    name: assets
    permissions:
-      # write is needed to upload release artifacts.
+      contents: write # Needed to upload release assets.
      contents: write
    runs-on: ubuntu-latest
    steps:
    - name: harden runner