Summary
The default branch already hardened .github/workflows/semantic-pull-request.yml against the issue(s) below, but 4 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
excessive-permissions — workflow/job granted broader permissions than needed
Already resolved on the default branch in:
Affected release branches (4)
release/v0.14.4_fix (still present as of HEAD 66a784b5)
release/v0.13 (still present as of HEAD 60852af5)
release/v0.14 (still present as of HEAD e46efb3d)
release/v0.11 (still present as of HEAD ea0a347e)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release/v0.14.4_fix — excessive-permissions
File .github/workflows/semantic-pull-request.yml; suggested edits:
-
- jobs.$J.permissions.pull-requests = 'write'
--- a/.github/workflows/semantic-pull-request.yml
+++ b/.github/workflows/semantic-pull-request.yml
@@ -25,3 +25,5 @@
run: pnpm tsx bin/check-pull-request.ts
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ permissions:
+ pull-requests: write
release/v0.13 — excessive-permissions
File .github/workflows/semantic-pull-request.yml; suggested edits:
-
- jobs.$J.permissions.pull-requests = 'write'
--- a/.github/workflows/semantic-pull-request.yml
+++ b/.github/workflows/semantic-pull-request.yml
@@ -25,3 +25,5 @@
run: pnpm tsx bin/check-pull-request.ts
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ permissions:
+ pull-requests: write
release/v0.14 — excessive-permissions
File .github/workflows/semantic-pull-request.yml; suggested edits:
-
- jobs.$J.permissions.pull-requests = 'write'
--- a/.github/workflows/semantic-pull-request.yml
+++ b/.github/workflows/semantic-pull-request.yml
@@ -25,3 +25,5 @@
run: pnpm tsx bin/check-pull-request.ts
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ permissions:
+ pull-requests: write
release/v0.11 — excessive-permissions
File .github/workflows/semantic-pull-request.yml; suggested edits:
-
- jobs.$J.permissions.pull-requests = 'write'
--- a/.github/workflows/semantic-pull-request.yml
+++ b/.github/workflows/semantic-pull-request.yml
@@ -19,3 +19,5 @@
run: pnpm tsx bin/check-pull-request.ts
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ permissions:
+ pull-requests: write
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/semantic-pull-request.ymlagainst the issue(s) below, but 4 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
excessive-permissions— workflow/job granted broaderpermissionsthan neededAlready resolved on the default branch in:
Affected release branches (4)
release/v0.14.4_fix(still present as of HEAD66a784b5)release/v0.13(still present as of HEAD60852af5)release/v0.14(still present as of HEADe46efb3d)release/v0.11(still present as of HEADea0a347e)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release/v0.14.4_fix— excessive-permissionsFile
.github/workflows/semantic-pull-request.yml; suggested edits:release/v0.13— excessive-permissionsFile
.github/workflows/semantic-pull-request.yml; suggested edits:release/v0.14— excessive-permissionsFile
.github/workflows/semantic-pull-request.yml; suggested edits:release/v0.11— excessive-permissionsFile
.github/workflows/semantic-pull-request.yml; suggested edits:Happy to open pull requests instead if that's preferred.