Skip to content

#1695 #1696 #1697: harden workflow security — permissions and persist-credentials#1761

Open
VasilevNStas wants to merge 1 commit into
zerocracy:masterfrom
VasilevNStas:1695-workflow-permissions
Open

#1695 #1696 #1697: harden workflow security — permissions and persist-credentials#1761
VasilevNStas wants to merge 1 commit into
zerocracy:masterfrom
VasilevNStas:1695-workflow-permissions

Conversation

@VasilevNStas

@VasilevNStas VasilevNStas commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Closes #1695 (add permissions to 17 workflows)
Closes #1696 (persist-credentials: false on all checkouts)
Closes #1697 (remove unused actions: write from zerocracy.yml)

All three issues affect the same set of workflow files with the same root cause (GitHub Actions security hardening), so they are grouped into one PR.

Changes:

  • Add permissions: contents: read to 17 workflow files that lack explicit permissions blocks
  • Add persist-credentials: false to all actions/checkout steps to prevent credential leakage
  • Remove unused actions: write permission from zerocracy.yml

- Add permissions: block to all 17 workflows that were missing it
  (contents: read for lint/CI, issues: write for titles, contents+PR write for up)
- Remove unused actions: write from zerocracy.yml
- Add persist-credentials: false to all actions/checkout steps
@VasilevNStas

Copy link
Copy Markdown
Contributor Author

@yegor256 plz review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

1 participant