Summary
The default branch already hardened .github/workflows/verify.yml against the issue(s) below, but 3 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
excessive-permissions — workflow/job granted broader permissions than needed
Already resolved on the default branch in:
Affected release branches (3)
releases/23.52 (still present as of HEAD 0765430e)
releases/23.48 (still present as of HEAD e1c063bb)
releases/23.43 (still present as of HEAD 2df851e6)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
releases/23.52 — excessive-permissions
File .github/workflows/verify.yml; suggested edits:
-
- permissions.contents = 'read'
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -19,3 +19,5 @@
uses: ./neo/.github/actions/neo-lint
with:
path: neo
+permissions:
+ contents: read
releases/23.48 — excessive-permissions
File .github/workflows/verify.yml; suggested edits:
-
- permissions.contents = 'read'
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -19,3 +19,5 @@
uses: ./neo/.github/actions/neo-lint
with:
path: neo
+permissions:
+ contents: read
releases/23.43 — excessive-permissions
File .github/workflows/verify.yml; suggested edits:
-
- permissions.contents = 'read'
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -19,3 +19,5 @@
uses: ./neo/.github/actions/neo-lint
with:
path: neo
+permissions:
+ contents: read
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/verify.ymlagainst the issue(s) below, but 3 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
excessive-permissions— workflow/job granted broaderpermissionsthan neededAlready resolved on the default branch in:
Affected release branches (3)
releases/23.52(still present as of HEAD0765430e)releases/23.48(still present as of HEADe1c063bb)releases/23.43(still present as of HEAD2df851e6)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
releases/23.52— excessive-permissionsFile
.github/workflows/verify.yml; suggested edits:releases/23.48— excessive-permissionsFile
.github/workflows/verify.yml; suggested edits:releases/23.43— excessive-permissionsFile
.github/workflows/verify.yml; suggested edits:Happy to open pull requests instead if that's preferred.