Restrict permissions on zizmor and frizbee caller jobs

tashian · claude · tashian · commit 90feb43b96d3 · 2026-03-02T16:56:58.000-08:00
Add explicit `permissions: contents: read` to the zizmor and frizbee
job calls in ci.yml and goCI.yml to resolve zizmor's "overly broad
permissions" warnings.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -22,10 +22,14 @@ jobs:
 
   zizmor:
     name: Scan GitHub workflows
+    permissions:
+      contents: read
     uses: ./.github/workflows/zizmor.yml
 
   frizbee:
     name: Check action pinning
+    permissions:
+      contents: read
     uses: ./.github/workflows/frizbee.yml
 
   lint-dummy-app: # NOTE(@azazeal): this check is here to verify that .golangci.yml is valid
diff --git a/.github/workflows/goCI.yml b/.github/workflows/goCI.yml
@@ -146,9 +146,13 @@ jobs:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
   zizmor:
+    permissions:
+      contents: read
     uses: ./.github/workflows/zizmor.yml
 
   frizbee:
+    permissions:
+      contents: read
     uses: ./.github/workflows/frizbee.yml
 
   build:
