From 40e658deb2afd6447bbc80198ff9eaad0d91a4f2 Mon Sep 17 00:00:00 2001 From: Husam Date: Tue, 30 Jun 2026 01:45:05 +0000 Subject: [PATCH] chore(actions): address zizmor findings This PR is an AI assisted attempt to address zizmor findings. It may not catch everything, and should be reviewed by repository owners. If it is unhelpful, feel free to close the PR and address separately. If it is helpful, feel free to approve and merge, or edit/modify as needed to get it to the right state. Repository owners must ultimately ensure compliance by 2026-07-13. The purpose of this PR is to provide some assistance with achieving that as a first pass. This will become a blocking check for new changes to github workflows on 2026-07-13. --- .github/workflows/approve-readme.yaml | 3 +++ .github/workflows/auto-release.yaml | 3 +++ .github/workflows/ci.yaml | 3 +++ .github/workflows/downstream.yaml | 3 +++ .github/workflows/renovate_config_check.yaml | 9 +++++++-- 5 files changed, 19 insertions(+), 2 deletions(-) diff --git a/.github/workflows/approve-readme.yaml b/.github/workflows/approve-readme.yaml index 59f00b8eb..7df783663 100644 --- a/.github/workflows/approve-readme.yaml +++ b/.github/workflows/approve-readme.yaml @@ -14,6 +14,9 @@ # Github action job to test core java library features on # downstream client libraries before they are released. on: + +permissions: + contents: read pull_request: name: auto-merge-readme jobs: diff --git a/.github/workflows/auto-release.yaml b/.github/workflows/auto-release.yaml index 18d92e5a2..d4e23a8e8 100644 --- a/.github/workflows/auto-release.yaml +++ b/.github/workflows/auto-release.yaml @@ -14,6 +14,9 @@ # Github action job to test core java library features on # downstream client libraries before they are released. on: + +permissions: + contents: read pull_request: name: auto-release jobs: diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c1a809fe1..413aeb523 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,4 +1,7 @@ on: + +permissions: + contents: read push: branches: - main diff --git a/.github/workflows/downstream.yaml b/.github/workflows/downstream.yaml index 910e73a59..4b9078411 100644 --- a/.github/workflows/downstream.yaml +++ b/.github/workflows/downstream.yaml @@ -1,4 +1,7 @@ on: + +permissions: + contents: read pull_request: types: [ labeled ] branches: diff --git a/.github/workflows/renovate_config_check.yaml b/.github/workflows/renovate_config_check.yaml index d3467e9d2..62cd07959 100644 --- a/.github/workflows/renovate_config_check.yaml +++ b/.github/workflows/renovate_config_check.yaml @@ -1,5 +1,8 @@ name: Renovate Bot Config Validation +permissions: + contents: read + on: pull_request: paths: @@ -12,10 +15,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20'