ci: use permissionless runner token by default

Runner token permissions should be explicitly declared at the job-level Signed-off-by: Seth Flynn <getchoo@tuta.io>
2026-06-29 01:54:20 +03:00 · 2026-02-02 16:57:38 -05:00 · 2026-02-02 16:57:38 -05:00 · add9e55493
commit add9e55493
parent e0ad6a2b3b
7 changed files with 30 additions and 9 deletions
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@ -8,8 +8,7 @@ on:
 # the GitHub repository. This means that it should not evaluate user input in a
 # way that allows code injection.

-permissions:
-  contents: read
+permissions: {}

 jobs:
  backport:
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -72,6 +72,8 @@ on:
        type: string
        default: Debug

+permissions: {}
+
 jobs:
  build:
    name: Build (${{ matrix.artifact-name }})
@ -79,6 +81,7 @@ jobs:
    environment: ${{ inputs.environment || '' }}

    permissions:
+      contents: read
      # Required for Azure Trusted Signing
      id-token: write
      # Required for vcpkg binary cache
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@ -66,8 +66,7 @@ on:
      - ".github/workflows/nix.yml"
  workflow_dispatch:

-permissions:
-  contents: read
+permissions: {}

 env:
  DEBUG: ${{ github.ref_type != 'tag' }}
@ -76,6 +75,9 @@ jobs:
  build:
    name: Build (${{ matrix.system }})

+    permissions:
+      contents: read
+
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@ -4,13 +4,15 @@ on:
  release:
    types: [ released ]

-permissions:
-  contents: read
+permissions: {}

 jobs:
  winget:
    name: Winget

+    permissions:
+      contents: read
+
    runs-on: ubuntu-slim

    steps:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -5,10 +5,18 @@ on:
    tags:
      - "*"

+permissions: {}
+
 jobs:
  build_release:
    name: Build Release
    uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      # Required for Azure Trusted Signing
+      id-token: write
+      # Required for vcpkg binary cache
+      packages: write
    with:
      build-type: Release
      environment: Release
@ -16,6 +24,8 @@ jobs:

  create_release:
    needs: build_release
+    permissions:
+      contents: write
    runs-on: ubuntu-slim
    outputs:
      upload_url: ${{ steps.create_release.outputs.upload_url }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -6,6 +6,8 @@ on:
    - cron: "0 0 * * 0"
  workflow_dispatch:

+permissions: {}
+
 jobs:
  label:
    name: Label issues and PRs
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@ -6,13 +6,16 @@ on:
    - cron: "0 0 * * 0"
  workflow_dispatch:

-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}

 jobs:
  update-flake:
    if: github.repository == 'PrismLauncher/PrismLauncher'
+
+    permissions:
+      contents: write
+      pull-requests: write
+
    runs-on: ubuntu-slim

    steps: