From cfdb3cb47354d2477323cdeb8a6103bd58efccbd Mon Sep 17 00:00:00 2001 From: William So Date: Sun, 25 Jan 2026 14:21:46 +0800 Subject: [PATCH 1/2] ci(workflows): minimize workflow permissions and tighten CI job permissions - Add minimal file-level permissions (e.g. `contents: read`) to workflows - Set `permissions: {}` on detect-quota jobs to avoid inheriting elevated permissions - Update Docker CI to allow only `packages: write` and remove unnecessary `attestations/id-token` perms - Keep elevated permissions scoped to the `release_please` job in release workflow --- .github/workflows/check.yml | 5 +++++ .github/workflows/docker.yml | 5 +++-- .github/workflows/release.yml | 3 +++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index f5dc4ac..d5b4f73 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -4,11 +4,16 @@ on: - push - pull_request +# Minimal file-level permissions for checks: read repository contents for linting/tests +permissions: + contents: read + jobs: detect-quota: # Probe the hosted runner (same flavor as the original try job) so we # can decide whether to use a hosted runner or fall back to # self-hosted. The job should fail if quota is exhausted. + permissions: {} runs-on: ubuntu-slim steps: - name: Quota probe diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 251bebc..fd5e904 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -4,11 +4,11 @@ on: push: pull_request: +# Minimize permissions for Docker CI; only allow read access to repo contents +# and package write for pushing images to GHCR. permissions: contents: read packages: write - attestations: write - id-token: write env: REGISTRY: ghcr.io @@ -19,6 +19,7 @@ jobs: # Probe the hosted runner to decide whether to use hosted runners or # fall back to self-hosted. Use the same runner flavor as the original # try job. + permissions: {} runs-on: ubuntu-slim steps: - name: Quota probe diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5a35161..81a7dcc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,8 @@ on: branches: - main +# Minimize default permissions; grant elevated permissions only to the +# `release_please` job below. permissions: contents: write issues: write @@ -19,6 +21,7 @@ jobs: detect-quota: # Probe the hosted runner flavor used by release steps so we can fall # back if necessary. + permissions: {} runs-on: ubuntu-slim steps: - name: Quota probe From 6b7943c10d4527eebe0f4180cc5279518f16e2f5 Mon Sep 17 00:00:00 2001 From: William So Date: Sun, 25 Jan 2026 14:24:42 +0800 Subject: [PATCH 2/2] ci(workflows): add workflow_dispatch to all workflows --- .github/workflows/check.yml | 5 +++-- .github/workflows/docker.yml | 1 + .github/workflows/release.yml | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index d5b4f73..df86db9 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -1,8 +1,9 @@ name: Checks on: - - push - - pull_request + push: + pull_request: + workflow_dispatch: # Minimal file-level permissions for checks: read repository contents for linting/tests permissions: diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index fd5e904..c0dfbe9 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -3,6 +3,7 @@ name: Docker CI on: push: pull_request: + workflow_dispatch: # Minimize permissions for Docker CI; only allow read access to repo contents # and package write for pushing images to GHCR. diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 81a7dcc..3d85ccf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,6 +4,7 @@ on: push: branches: - main + workflow_dispatch: # Minimize default permissions; grant elevated permissions only to the # `release_please` job below.