Add explicit permissions blocks, eliminate all zizmor ignores

tashian · claude · tashian · commit 9380018c724e · 2026-03-02T17:40:36.000-08:00
Add top-level permissions: contents: read to ci.yml, goCI.yml, and
sync-winget-fork.yml. Add security-events: write to code-scan.yml
and the goCI codeql job (required by CodeQL). Remove redundant
per-job permissions where they now inherit from the workflow level.

This eliminates every excessive-permissions finding, allowing us to
delete .github/zizmor.yml entirely — zero suppressed warnings.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,6 +11,9 @@ on:
       - opened
       - synchronize
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -22,14 +25,10 @@ jobs:
 
   zizmor:
     name: Scan GitHub workflows
-    permissions:
-      contents: read
     uses: ./.github/workflows/zizmor.yml
 
   frizbee:
     name: Check action pinning
-    permissions:
-      contents: read
     uses: ./.github/workflows/frizbee.yml
 
   lint-dummy-app: # NOTE(@azazeal): this check is here to verify that .golangci.yml is valid
diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
@@ -6,6 +6,11 @@ on:
         type: boolean
         default: true
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   codeql:
     if: inputs.run-codeql
diff --git a/.github/workflows/goCI.yml b/.github/workflows/goCI.yml
@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
@@ -120,6 +123,10 @@ jobs:
 
   codeql:
     if: inputs.run-codeql
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: ./.github/workflows/codeql-analysis.yml
     with:
       goprivate: ${{ inputs.goprivate }}
@@ -146,13 +153,9 @@ jobs:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
   zizmor:
-    permissions:
-      contents: read
     uses: ./.github/workflows/zizmor.yml
 
   frizbee:
-    permissions:
-      contents: read
     uses: ./.github/workflows/frizbee.yml
 
   build:
diff --git a/.github/workflows/sync-winget-fork.yml b/.github/workflows/sync-winget-fork.yml
@@ -5,6 +5,9 @@ on:
     - cron: '0 0 1 * *' # First day of each month at midnight UTC
   workflow_dispatch: # Allow manual trigger
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     runs-on: ubuntu-latest
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
