Summary
The default branch already hardened .github/workflows/repository-dispatch.yml against the issue(s) below, but 4 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
excessive-permissions — workflow/job granted broader permissions than needed
Already resolved on the default branch in:
Affected release branches (4)
release-2.5 (still present as of HEAD db1dfc99)
release-2.2 (still present as of HEAD 85f2b518)
release-2.3 (still present as of HEAD a056f277)
release-2.4 (still present as of HEAD ea8fc63d)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-2.5 — excessive-permissions
File .github/workflows/repository-dispatch.yml; suggested edits:
-
- permissions.contents = 'read'
-
- permissions.id-token = 'write'
--- a/.github/workflows/repository-dispatch.yml
+++ b/.github/workflows/repository-dispatch.yml
@@ -31,3 +31,6 @@
repository: redpanda-data/console-enterprise
event-type: push
client-payload: '{"branch": "${{ github.ref_name }}", "commit_sha": "${{ github.sha }}"}'
+permissions:
+ contents: read
+ id-token: write
release-2.2 — excessive-permissions
File .github/workflows/repository-dispatch.yml; suggested edits:
-
- permissions.contents = 'read'
-
- permissions.id-token = 'write'
--- a/.github/workflows/repository-dispatch.yml
+++ b/.github/workflows/repository-dispatch.yml
@@ -31,3 +31,6 @@
repository: redpanda-data/console-enterprise
event-type: push
client-payload: '{"branch": "${{ github.ref_name }}", "commit_sha": "${{ github.sha }}"}'
+permissions:
+ contents: read
+ id-token: write
release-2.3 — excessive-permissions
File .github/workflows/repository-dispatch.yml; suggested edits:
-
- permissions.contents = 'read'
-
- permissions.id-token = 'write'
--- a/.github/workflows/repository-dispatch.yml
+++ b/.github/workflows/repository-dispatch.yml
@@ -31,3 +31,6 @@
repository: redpanda-data/console-enterprise
event-type: push
client-payload: '{"branch": "${{ github.ref_name }}", "commit_sha": "${{ github.sha }}"}'
+permissions:
+ contents: read
+ id-token: write
release-2.4 — excessive-permissions
File .github/workflows/repository-dispatch.yml; suggested edits:
-
- permissions.contents = 'read'
-
- permissions.id-token = 'write'
--- a/.github/workflows/repository-dispatch.yml
+++ b/.github/workflows/repository-dispatch.yml
@@ -31,3 +31,6 @@
repository: redpanda-data/console-enterprise
event-type: push
client-payload: '{"branch": "${{ github.ref_name }}", "commit_sha": "${{ github.sha }}"}'
+permissions:
+ contents: read
+ id-token: write
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/repository-dispatch.ymlagainst the issue(s) below, but 4 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
excessive-permissions— workflow/job granted broaderpermissionsthan neededAlready resolved on the default branch in:
Affected release branches (4)
release-2.5(still present as of HEADdb1dfc99)release-2.2(still present as of HEAD85f2b518)release-2.3(still present as of HEADa056f277)release-2.4(still present as of HEADea8fc63d)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-2.5— excessive-permissionsFile
.github/workflows/repository-dispatch.yml; suggested edits:release-2.2— excessive-permissionsFile
.github/workflows/repository-dispatch.yml; suggested edits:release-2.3— excessive-permissionsFile
.github/workflows/repository-dispatch.yml; suggested edits:release-2.4— excessive-permissionsFile
.github/workflows/repository-dispatch.yml; suggested edits:Happy to open pull requests instead if that's preferred.