From add9e55493e91a87d710177c818c06687bcc3b5c Mon Sep 17 00:00:00 2001
From: Seth Flynn <getchoo@tuta.io>
Date: Mon, 2 Feb 2026 16:57:38 -0500
Subject: [PATCH] ci: use permissionless runner token by default

Runner token permissions should be explicitly declared at the job-level

Signed-off-by: Seth Flynn <getchoo@tuta.io>
---
 .github/workflows/backport.yml     |  3 +--
 .github/workflows/build.yml        |  3 +++
 .github/workflows/nix.yml          |  6 ++++--
 .github/workflows/publish.yml      |  6 ++++--
 .github/workflows/release.yml      | 10 ++++++++++
 .github/workflows/stale.yml        |  2 ++
 .github/workflows/update-flake.yml |  9 ++++++---
 7 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 27969aea2..862d2a120 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -8,8 +8,7 @@ on:
 # the GitHub repository. This means that it should not evaluate user input in a
 # way that allows code injection.
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   backport:
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9d56bb661..e9ffeddec 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -72,6 +72,8 @@ on:
         type: string
         default: Debug
 
+permissions: {}
+
 jobs:
   build:
     name: Build (${{ matrix.artifact-name }})
@@ -79,6 +81,7 @@ jobs:
     environment: ${{ inputs.environment || '' }}
 
     permissions:
+      contents: read
       # Required for Azure Trusted Signing
       id-token: write
       # Required for vcpkg binary cache
diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
index 2035668f4..3ddb96aa7 100644
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -66,8 +66,7 @@ on:
       - ".github/workflows/nix.yml"
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   DEBUG: ${{ github.ref_type != 'tag' }}
@@ -76,6 +75,9 @@ jobs:
   build:
     name: Build (${{ matrix.system }})
 
+    permissions:
+      contents: read
+
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 50707933b..1bb1c5b50 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,13 +4,15 @@ on:
   release:
     types: [ released ]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   winget:
     name: Winget
 
+    permissions:
+      contents: read
+
     runs-on: ubuntu-slim
 
     steps:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 093bac083..c68c5bc93 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,10 +5,18 @@ on:
     tags:
       - "*"
 
+permissions: {}
+
 jobs:
   build_release:
     name: Build Release
     uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      # Required for Azure Trusted Signing
+      id-token: write
+      # Required for vcpkg binary cache
+      packages: write
     with:
       build-type: Release
       environment: Release
@@ -16,6 +24,8 @@ jobs:
 
   create_release:
     needs: build_release
+    permissions:
+      contents: write
     runs-on: ubuntu-slim
     outputs:
       upload_url: ${{ steps.create_release.outputs.upload_url }}
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 0447a7d25..7963c3efe 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -6,6 +6,8 @@ on:
     - cron: "0 0 * * 0"
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   label:
     name: Label issues and PRs
diff --git a/.github/workflows/update-flake.yml b/.github/workflows/update-flake.yml
index 92886728a..e3d77b804 100644
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -6,13 +6,16 @@ on:
     - cron: "0 0 * * 0"
   workflow_dispatch:
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   update-flake:
     if: github.repository == 'PrismLauncher/PrismLauncher'
+
+    permissions:
+      contents: write
+      pull-requests: write
+
     runs-on: ubuntu-slim
 
     steps: