Merge pull request #47 from portapps/fix-perms

crazy-max · web-flow · commit 9eaba04d36be · 2026-04-04T17:46:58.000+02:00
fix reusable workflow permissions
diff --git a/.github/workflows/app-build.yml b/.github/workflows/app-build.yml
@@ -1,8 +1,5 @@
 name: app-build
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -35,8 +32,6 @@ env:
 jobs:
   build:
     runs-on: windows-latest
-    permissions:
-      contents: read
     env:
       GO_VERSION: ${{ inputs.go_version }}
       NODE_VERSION: ${{ inputs.node_version }}
@@ -118,8 +113,6 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - build
-    permissions:
-      contents: write # required to create a GitHub release
     steps:
       -
         name: Prepare
@@ -147,4 +140,4 @@ jobs:
             bin/release/*
           name: ${{ env.GIT_TAGNAME }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/app-virustotal.yml b/.github/workflows/app-virustotal.yml
@@ -1,8 +1,5 @@
 name: app-virustotal
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     secrets:
@@ -14,8 +11,6 @@ on:
 jobs:
   run:
     runs-on: ubuntu-latest
-    permissions:
-      contents: write # required to write GitHub Release body
     steps:
       -
         name: Prepare
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -1,4 +1,12 @@
 # https://docs.zizmor.sh/configuration/
 rules:
+  # does not apply to reusable worfklows where permissions are defined by
+  # the caller workflow and not the reusable workflow itself.
+  # https://docs.zizmor.sh/audits/#excessive-permissions
+  excessive-permissions:
+    ignore:
+      - app-build.yml
+      - app-virustotal.yml
+
   secrets-outside-env:
     disable: true
