Restrict workflow permissions to contents: read

All CI jobs and the deploy workflow only need to read repo contents. Adding explicit top-level permissions satisfies zizmor's excessive-permissions audit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix zizmor PATH issue in CI by using pipx run
2026-02-17 19:34:07 +01:00 · 2026-02-17 19:31:39 +01:00 · 2026-02-17 19:28:24 +01:00 · 2026-02-17 19:19:11 +01:00
2 changed files with 8 additions and 4 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,6 +18,9 @@ on:
      - ".gitignore"
      - ".github/workflows/deploy.yml"

+permissions:
+  contents: read
+
 jobs:
  backend-lint:
    runs-on: ubuntu-latest
@@ -45,14 +48,12 @@ jobs:
          persist-credentials: false
      - name: Install actionlint
        run: |
-          curl -sL https://github.com/rhysd/actionlint/releases/latest/download/actionlint_linux_amd64.tar.gz | tar xz
+          bash <(curl -sL https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
          sudo mv actionlint /usr/local/bin/
      - name: Lint GitHub Actions
        run: actionlint
-      - name: Install zizmor
-        run: pip install zizmor
      - name: Audit GitHub Actions security
-        run: zizmor .github/workflows/
+        run: pipx run zizmor .github/workflows/

  frontend-lint:
    runs-on: ubuntu-latest
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -3,6 +3,9 @@ name: Deploy
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  deploy:
    runs-on: ubuntu-latest
Author	SHA1	Message	Date
Julian Tabel	22d72e8a34	Restrict workflow permissions to contents: read All checks were successful CI / backend-lint (pull_request) Successful in 9s Details CI / actions-lint (pull_request) Successful in 15s Details CI / frontend-lint (pull_request) Successful in 20s Details All CI jobs and the deploy workflow only need to read repo contents. Adding explicit top-level permissions satisfies zizmor's excessive-permissions audit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-17 19:34:07 +01:00
Julian Tabel	2675491216	Fix zizmor PATH issue in CI by using pipx run Some checks failed CI / backend-lint (pull_request) Successful in 9s Details CI / actions-lint (pull_request) Failing after 15s Details CI / frontend-lint (pull_request) Successful in 20s Details pipx run executes directly without needing the binary on PATH. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-17 19:31:39 +01:00
Julian Tabel	e9100fa826	Fix zizmor install in CI by using pipx Some checks failed CI / backend-lint (pull_request) Successful in 9s Details CI / actions-lint (pull_request) Failing after 15s Details CI / frontend-lint (pull_request) Successful in 20s Details Bare pip install fails on newer Ubuntu runners due to PEP 668 (externally-managed-environment). Use pipx which is pre-installed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-17 19:28:24 +01:00
Julian Tabel	acfe767214	Fix actionlint install in CI workflow Some checks failed CI / backend-lint (pull_request) Successful in 9s Details CI / actions-lint (pull_request) Failing after 8s Details CI / frontend-lint (pull_request) Successful in 20s Details The download URL was missing the version number in the asset filename. Use the official download script which handles version resolution. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-17 19:19:11 +01:00