Summary
The default branch already hardened .github/workflows/nightly.yml against the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
excessive-permissions — workflow/job granted broader permissions than needed
Already resolved on the default branch in:
Affected release branches (5)
release-intellij-1.13 (still present as of HEAD 028d24bf)
release-intellij-1.12 (still present as of HEAD f5c2e562)
release-vsce-1.28 (still present as of HEAD 99e0004b)
release-vsce-1.26 (still present as of HEAD 5d195457)
release-vsce-1.25 (still present as of HEAD fc89e332)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-intellij-1.13 — excessive-permissions
File .github/workflows/nightly.yml; suggested edits:
-
- jobs.$J.permissions.contents = 'write'
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -18,3 +18,5 @@
uses: EndBug/latest-tag@latest
with:
ref: nightly
+ permissions:
+ contents: write
release-intellij-1.12 — excessive-permissions
File .github/workflows/nightly.yml; suggested edits:
-
- jobs.$J.permissions.contents = 'write'
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -18,3 +18,5 @@
uses: EndBug/latest-tag@latest
with:
ref: nightly
+ permissions:
+ contents: write
release-vsce-1.28 — excessive-permissions
File .github/workflows/nightly.yml; suggested edits:
-
- jobs.$J.permissions.contents = 'write'
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -18,3 +18,5 @@
uses: EndBug/latest-tag@latest
with:
ref: nightly
+ permissions:
+ contents: write
release-vsce-1.26 — excessive-permissions
File .github/workflows/nightly.yml; suggested edits:
-
- jobs.$J.permissions.contents = 'write'
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -18,3 +18,5 @@
uses: EndBug/latest-tag@latest
with:
ref: nightly
+ permissions:
+ contents: write
release-vsce-1.25 — excessive-permissions
File .github/workflows/nightly.yml; suggested edits:
-
- jobs.$J.permissions.contents = 'write'
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -18,3 +18,5 @@
uses: EndBug/latest-tag@latest
with:
ref: nightly
+ permissions:
+ contents: write
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/nightly.ymlagainst the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
excessive-permissions— workflow/job granted broaderpermissionsthan neededAlready resolved on the default branch in:
Affected release branches (5)
release-intellij-1.13(still present as of HEAD028d24bf)release-intellij-1.12(still present as of HEADf5c2e562)release-vsce-1.28(still present as of HEAD99e0004b)release-vsce-1.26(still present as of HEAD5d195457)release-vsce-1.25(still present as of HEADfc89e332)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-intellij-1.13— excessive-permissionsFile
.github/workflows/nightly.yml; suggested edits:release-intellij-1.12— excessive-permissionsFile
.github/workflows/nightly.yml; suggested edits:release-vsce-1.28— excessive-permissionsFile
.github/workflows/nightly.yml; suggested edits:release-vsce-1.26— excessive-permissionsFile
.github/workflows/nightly.yml; suggested edits:release-vsce-1.25— excessive-permissionsFile
.github/workflows/nightly.yml; suggested edits:Happy to open pull requests instead if that's preferred.