From 00a5a78a4419b7c1570883cdc5212380dc2033b4 Mon Sep 17 00:00:00 2001 From: Julian Tabel Date: Tue, 17 Feb 2026 19:36:30 +0100 Subject: [PATCH] Fix CI workflow: actionlint install, zizmor, and permissions - Use actionlint's official download script instead of hardcoded URL missing the version number in the asset filename - Use pipx run for zizmor to avoid PATH and PEP 668 issues - Add explicit permissions: contents: read to both workflows to satisfy zizmor's excessive-permissions audit Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 9 +++++---- .github/workflows/deploy.yml | 3 +++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8a95e8b..0c76b0b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,6 +18,9 @@ on: - ".gitignore" - ".github/workflows/deploy.yml" +permissions: + contents: read + jobs: backend-lint: runs-on: ubuntu-latest @@ -45,14 +48,12 @@ jobs: persist-credentials: false - name: Install actionlint run: | - curl -sL https://github.com/rhysd/actionlint/releases/latest/download/actionlint_linux_amd64.tar.gz | tar xz + bash <(curl -sL https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) sudo mv actionlint /usr/local/bin/ - name: Lint GitHub Actions run: actionlint - - name: Install zizmor - run: pip install zizmor - name: Audit GitHub Actions security - run: zizmor .github/workflows/ + run: pipx run zizmor .github/workflows/ frontend-lint: runs-on: ubuntu-latest diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 8b08735..f3329e4 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -3,6 +3,9 @@ name: Deploy on: workflow_dispatch: +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest