From f85e2ddb15e2c044d83c60b6c0c5d2d191ae41a4 Mon Sep 17 00:00:00 2001 From: Seth Flynn Date: Mon, 2 Feb 2026 16:50:21 -0500 Subject: [PATCH 1/3] ci(blocked-prs): restrict runner token permissions These can run without any permissions since we use our own app for auth Signed-off-by: Seth Flynn --- .github/workflows/blocked-prs.yml | 2 ++ .github/workflows/merge-blocking-pr.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/blocked-prs.yml b/.github/workflows/blocked-prs.yml index 4e4285260..fa00646e2 100644 --- a/.github/workflows/blocked-prs.yml +++ b/.github/workflows/blocked-prs.yml @@ -14,6 +14,8 @@ on: required: true type: number +permissions: {} + jobs: blocked_status: name: Check Blocked Status diff --git a/.github/workflows/merge-blocking-pr.yml b/.github/workflows/merge-blocking-pr.yml index 57c9cf21e..5c6357430 100644 --- a/.github/workflows/merge-blocking-pr.yml +++ b/.github/workflows/merge-blocking-pr.yml @@ -11,6 +11,8 @@ on: required: true type: number +permissions: {} + jobs: update-blocked-status: name: Update Blocked Status From e0ad6a2b3b997b979138583f5dea5584c3fa5483 Mon Sep 17 00:00:00 2001 From: Seth Flynn Date: Mon, 2 Feb 2026 16:51:58 -0500 Subject: [PATCH 2/3] ci(codeql): explicitly grant runner token permissions This allows us to make our runner token only have read-only permissions by default Signed-off-by: Seth Flynn --- .github/workflows/codeql.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e4830ddd9..dbc163715 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -58,10 +58,16 @@ on: - ".github/actions/setup-dependencies/**" workflow_dispatch: +permissions: {} + jobs: CodeQL: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: - name: Checkout repository uses: actions/checkout@v6 From add9e55493e91a87d710177c818c06687bcc3b5c Mon Sep 17 00:00:00 2001 From: Seth Flynn Date: Mon, 2 Feb 2026 16:57:38 -0500 Subject: [PATCH 3/3] ci: use permissionless runner token by default Runner token permissions should be explicitly declared at the job-level Signed-off-by: Seth Flynn --- .github/workflows/backport.yml | 3 +-- .github/workflows/build.yml | 3 +++ .github/workflows/nix.yml | 6 ++++-- .github/workflows/publish.yml | 6 ++++-- .github/workflows/release.yml | 10 ++++++++++ .github/workflows/stale.yml | 2 ++ .github/workflows/update-flake.yml | 9 ++++++--- 7 files changed, 30 insertions(+), 9 deletions(-) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 27969aea2..862d2a120 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -8,8 +8,7 @@ on: # the GitHub repository. This means that it should not evaluate user input in a # way that allows code injection. -permissions: - contents: read +permissions: {} jobs: backport: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9d56bb661..e9ffeddec 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -72,6 +72,8 @@ on: type: string default: Debug +permissions: {} + jobs: build: name: Build (${{ matrix.artifact-name }}) @@ -79,6 +81,7 @@ jobs: environment: ${{ inputs.environment || '' }} permissions: + contents: read # Required for Azure Trusted Signing id-token: write # Required for vcpkg binary cache diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index 2035668f4..3ddb96aa7 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -66,8 +66,7 @@ on: - ".github/workflows/nix.yml" workflow_dispatch: -permissions: - contents: read +permissions: {} env: DEBUG: ${{ github.ref_type != 'tag' }} @@ -76,6 +75,9 @@ jobs: build: name: Build (${{ matrix.system }}) + permissions: + contents: read + strategy: fail-fast: false matrix: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 50707933b..1bb1c5b50 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,13 +4,15 @@ on: release: types: [ released ] -permissions: - contents: read +permissions: {} jobs: winget: name: Winget + permissions: + contents: read + runs-on: ubuntu-slim steps: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 093bac083..c68c5bc93 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,10 +5,18 @@ on: tags: - "*" +permissions: {} + jobs: build_release: name: Build Release uses: ./.github/workflows/build.yml + permissions: + contents: read + # Required for Azure Trusted Signing + id-token: write + # Required for vcpkg binary cache + packages: write with: build-type: Release environment: Release @@ -16,6 +24,8 @@ jobs: create_release: needs: build_release + permissions: + contents: write runs-on: ubuntu-slim outputs: upload_url: ${{ steps.create_release.outputs.upload_url }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0447a7d25..7963c3efe 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -6,6 +6,8 @@ on: - cron: "0 0 * * 0" workflow_dispatch: +permissions: {} + jobs: label: name: Label issues and PRs diff --git a/.github/workflows/update-flake.yml b/.github/workflows/update-flake.yml index 92886728a..e3d77b804 100644 --- a/.github/workflows/update-flake.yml +++ b/.github/workflows/update-flake.yml @@ -6,13 +6,16 @@ on: - cron: "0 0 * * 0" workflow_dispatch: -permissions: - contents: write - pull-requests: write +permissions: {} jobs: update-flake: if: github.repository == 'PrismLauncher/PrismLauncher' + + permissions: + contents: write + pull-requests: write + runs-on: ubuntu-slim steps: