Skip to content

[GSD-12974] Backport workflow-hardening fix (excessive-permissions) to 3 release branches #943

Description

@CharlieMCY

Summary

The default branch already hardened .github/workflows/verify.yml against the issue(s) below, but 3 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.

What's flagged (by zizmor)

  • excessive-permissions — workflow/job granted broader permissions than needed

Already resolved on the default branch in:

Affected release branches (3)

  • releases/23.52 (still present as of HEAD 0765430e)
  • releases/23.48 (still present as of HEAD e1c063bb)
  • releases/23.43 (still present as of HEAD 2df851e6)

Suggested per-branch patches

Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)

releases/23.52 — excessive-permissions

File .github/workflows/verify.yml; suggested edits:

    • permissions.contents = 'read'
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -19,3 +19,5 @@
         uses: ./neo/.github/actions/neo-lint
         with:
           path: neo
+permissions:
+  contents: read
releases/23.48 — excessive-permissions

File .github/workflows/verify.yml; suggested edits:

    • permissions.contents = 'read'
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -19,3 +19,5 @@
         uses: ./neo/.github/actions/neo-lint
         with:
           path: neo
+permissions:
+  contents: read
releases/23.43 — excessive-permissions

File .github/workflows/verify.yml; suggested edits:

    • permissions.contents = 'read'
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -19,3 +19,5 @@
         uses: ./neo/.github/actions/neo-lint
         with:
           path: neo
+permissions:
+  contents: read

Happy to open pull requests instead if that's preferred.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions