ci: reduce permissions for GitHub Actions (#112)

ashishb · web-flow · commit 97fda629be4e · 2024-12-28T23:40:00.000-08:00
diff --git a/.github/workflows/check-goreleaser-config.yaml b/.github/workflows/check-goreleaser-config.yaml
@@ -17,6 +17,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
 
   checkGoReleaserConfig:
diff --git a/.github/workflows/format-go.yaml b/.github/workflows/format-go.yaml
@@ -18,6 +18,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
 
   validateCodeFormatGo:
diff --git a/.github/workflows/lint-github-actions.yaml b/.github/workflows/lint-github-actions.yaml
@@ -23,6 +23,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   lintGitHubActionsWithActionLint:
     runs-on: ubuntu-latest
@@ -74,7 +78,8 @@ jobs:
         uses: actions-rust-lang/setup-rust-toolchain@v1
 
       - name: Install zizmor
-        run: cargo install zizmor
+        # Install zizmor if it's not already installed via the Rust cache
+        run: zizmor --help || cargo install zizmor
 
       - name: Run zizmor on GitHub Actions
         run: zizmor .github/workflows/*
diff --git a/.github/workflows/lint-go.yaml b/.github/workflows/lint-go.yaml
@@ -18,6 +18,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
 
   lintGo:
diff --git a/.github/workflows/lint-markdown.yaml b/.github/workflows/lint-markdown.yaml
@@ -19,6 +19,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   lintMarkdown:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint-yaml.yaml b/.github/workflows/lint-yaml.yaml
@@ -23,6 +23,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   lintYaml:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test-go.yaml b/.github/workflows/test-go.yaml
@@ -18,6 +18,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
 
   testGo:
