ci: scope workflow permissions to job level (#4717)

2026-05-06 21:50:57 +08:00 · 2026-02-13 11:37:14 -05:00
parent 941f6453c1
commit 2ef66bcc87
12 changed files with 57 additions and 23 deletions
--- a/.github/workflows/ci-archlinux.yml
+++ b/.github/workflows/ci-archlinux.yml
@@ -1,7 +1,6 @@
 ---
 name: CI-Archlinux
-permissions:
-  contents: read
+permissions: {}

 on:
  workflow_call:
@@ -24,6 +23,8 @@ jobs:
      BUILD_VERSION: ${{ inputs.release_version }}
      CLONE_URL: ${{ github.event.repository.clone_url }}
      COMMIT: ${{ inputs.release_commit }}
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    container:
      image: archlinux/archlinux:base-devel
--- a/.github/workflows/ci-bundle.yml
+++ b/.github/workflows/ci-bundle.yml
@@ -1,7 +1,6 @@
 ---
 name: CI-Bundle
-permissions:
-  contents: read
+permissions: {}

 on:
  workflow_call:
@@ -11,6 +10,8 @@ on:

 jobs:
  bundle_analysis:
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
--- a/.github/workflows/ci-copr.yml
+++ b/.github/workflows/ci-copr.yml
@@ -1,7 +1,6 @@
 ---
 name: CI-Copr
-permissions:
-  contents: read
+permissions: {}

 on:
  release:
@@ -27,6 +26,8 @@ concurrency:

 jobs:
  call-copr-ci:
+    permissions:
+      contents: read
    uses: LizardByte/copr-ci/.github/workflows/copr-ci.yml@master
    with:
      copr_pr_webhook_token: "05fc9b07-a19b-4f83-89b2-ae1e7e0b5282"
--- a/.github/workflows/ci-flatpak.yml
+++ b/.github/workflows/ci-flatpak.yml
@@ -1,7 +1,6 @@
 ---
 name: CI-Flatpak
-permissions:
-  contents: read
+permissions: {}

 on:
  workflow_call:
@@ -21,6 +20,8 @@ jobs:
      MATRIX_ARCH: ${{ matrix.arch }}
      NODE_VERSION: "20"
      PLATFORM_VERSION: "24.08"
+    permissions:
+      contents: read
    runs-on: ${{ matrix.runner }}
    strategy:
      fail-fast: false
--- a/.github/workflows/ci-freebsd.yml
+++ b/.github/workflows/ci-freebsd.yml
@@ -1,7 +1,6 @@
 ---
 name: CI-FreeBSD
-permissions:
-  contents: read
+permissions: {}

 on:
  workflow_call:
@@ -25,6 +24,7 @@ jobs:
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.generate-matrix.outputs.matrix }}
+    permissions: {}
    steps:
      - name: Generate Matrix
        id: generate-matrix
@@ -66,6 +66,8 @@ jobs:
    name: ${{ matrix.cmake_processor }}-${{ matrix.bsd_release }}
    runs-on: ubuntu-latest
    needs: setup-matrix
+    permissions:
+      contents: read
    strategy:
      fail-fast: false
      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
--- a/.github/workflows/ci-homebrew.yml
+++ b/.github/workflows/ci-homebrew.yml
@@ -1,7 +1,6 @@
 ---
 name: CI-Homebrew
-permissions:
-  contents: read
+permissions: {}

 on:
  workflow_call:
@@ -29,6 +28,8 @@ on:
 jobs:
  build_homebrew:
    name: ${{ matrix.os_name }}-${{ matrix.os_version }}${{ matrix.release == true && ' (Release)' || '' }}
+    permissions:
+      contents: read
    runs-on: ${{ matrix.os_name }}-${{ matrix.os_version }}
    strategy:
      fail-fast: false
--- a/.github/workflows/ci-linux.yml
+++ b/.github/workflows/ci-linux.yml
@@ -1,7 +1,6 @@
 ---
 name: CI-Linux
-permissions:
-  contents: read
+permissions: {}

 on:
  workflow_call:
@@ -19,6 +18,8 @@ jobs:
    env:
      APP_ID: dev.lizardbyte.app.Sunshine
      VERSION: ${{ inputs.release_version }}
+    permissions:
+      contents: read
    runs-on: ubuntu-${{ matrix.dist }}
    strategy:
      fail-fast: false
--- a/.github/workflows/ci-windows.yml
+++ b/.github/workflows/ci-windows.yml
@@ -1,7 +1,6 @@
 ---
 name: CI-Windows
-permissions:
-  contents: read
+permissions: {}

 on:
  workflow_call:
@@ -20,6 +19,8 @@ jobs:
    defaults:
      run:
        shell: msys2 {0}
+    permissions:
+      contents: read
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,7 +1,6 @@
 ---
 name: CI
-permissions:
-  contents: read
+permissions: {}

 on:
  pull_request:
@@ -17,6 +16,8 @@ concurrency:
 jobs:
  github-env:
    name: GitHub Env Debug
+    permissions:
+      contents: read
    uses: LizardByte/.github/.github/workflows/__call-github-env.yml@master

  release-setup:
@@ -65,6 +66,8 @@ jobs:
  build-freebsd:
    name: FreeBSD
    needs: release-setup
+    permissions:
+      contents: read
    uses: ./.github/workflows/ci-freebsd.yml
    with:
      release_commit: ${{ needs.release-setup.outputs.release_commit }}
@@ -73,6 +76,8 @@ jobs:
  build-homebrew:
    name: Homebrew
    needs: release-setup
+    permissions:
+      contents: read
    uses: ./.github/workflows/ci-homebrew.yml
    with:
      publish_release: ${{ needs.release-setup.outputs.publish_release }}
@@ -87,6 +92,8 @@ jobs:
  build-linux:
    name: Linux
    needs: release-setup
+    permissions:
+      contents: read
    uses: ./.github/workflows/ci-linux.yml
    with:
      release_commit: ${{ needs.release-setup.outputs.release_commit }}
@@ -95,6 +102,8 @@ jobs:
  build-archlinux:
    name: Archlinux
    needs: release-setup
+    permissions:
+      contents: read
    uses: ./.github/workflows/ci-archlinux.yml
    with:
      release_commit: ${{ needs.release-setup.outputs.release_commit }}
@@ -115,6 +124,8 @@ jobs:
  build-linux-flatpak:
    name: Linux Flatpak
    needs: release-setup
+    permissions:
+      contents: read
    uses: ./.github/workflows/ci-flatpak.yml
    with:
      release_commit: ${{ needs.release-setup.outputs.release_commit }}
@@ -123,6 +134,8 @@ jobs:
  build-windows:
    name: Windows
    needs: release-setup
+    permissions:
+      contents: read
    uses: ./.github/workflows/ci-windows.yml
    with:
      release_commit: ${{ needs.release-setup.outputs.release_commit }}
@@ -131,6 +144,8 @@ jobs:
  bundle-analysis:
    name: Bundle Analysis
    needs: release-setup
+    permissions:
+      contents: read
    uses: ./.github/workflows/ci-bundle.yml
    secrets:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
@@ -148,6 +163,8 @@ jobs:
      - build-linux-flatpak
      - build-homebrew
      - build-windows
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
@@ -244,6 +261,8 @@ jobs:
      - build-linux
      - build-linux-flatpak
      - build-windows
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: Download build artifacts
@@ -277,6 +296,8 @@ jobs:
      - release-setup
      - build-homebrew
      - release
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: Download homebrew artifacts
--- a/.github/workflows/localize.yml
+++ b/.github/workflows/localize.yml
@@ -1,7 +1,6 @@
 ---
 name: localize
-permissions:
-  contents: read
+permissions: {}

 on:
  push:
@@ -19,8 +18,9 @@ env:
 jobs:
  localize:
    name: Update Localization
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
-
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
--- a/.github/workflows/release-notifier-moonlight.yml
+++ b/.github/workflows/release-notifier-moonlight.yml
@@ -11,6 +11,7 @@ jobs:
  discord:
    if: github.repository_owner == 'LizardByte'
    runs-on: ubuntu-latest
+    permissions: {}
    steps:
      - name: Check if latest GitHub release
        id: check-release
--- a/.github/workflows/update-pages.yml
+++ b/.github/workflows/update-pages.yml
@@ -1,7 +1,6 @@
 ---
 name: Build GH-Pages
-permissions:
-  contents: read
+permissions: {}

 on:
  pull_request:
@@ -17,6 +16,8 @@ concurrency:
 jobs:
  prep:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -32,6 +33,8 @@ jobs:

  call-jekyll-build:
    needs: prep
+    permissions:
+      contents: read
    uses: LizardByte/LizardByte.github.io/.github/workflows/jekyll-build.yml@master
    secrets:
      GH_BOT_EMAIL: ${{ secrets.GH_BOT_EMAIL }}