Skip to content

Tighten workflow-level permissions and expand dependabot scope#43

Merged
wagoodman merged 1 commit into
mainfrom
remediate-audit
May 8, 2026
Merged

Tighten workflow-level permissions and expand dependabot scope#43
wagoodman merged 1 commit into
mainfrom
remediate-audit

Conversation

@wagoodman

Copy link
Copy Markdown
Contributor

Moves top-level workflow permissions from contents: read to {} across all three workflow files, pushing contents: read down to the job level where it's actually needed. Also adds /.github/actions/* to the dependabot github-actions ecosystem directories list so local composite actions get version-tracked.

Changes:

  • set permissions: {} at workflow level in release.yaml, validate-github-actions.yaml, and validations.yaml
  • add job-level permissions: { contents: read } to Static-Analysis and Unit-Test jobs in validations.yaml
  • add /.github/actions/* directory to dependabot github-actions ecosystem

Notes:

  • release.yaml already had contents: write scoped to the release job, so no change needed there
  • validate-github-actions.yaml already had job-level permissions on the zizmor job

Move top-level workflow permissions from `contents: read` to `{}` across
all three workflow files, pushing `contents: read` down to the job level
where needed. Add `/.github/actions/*` to the dependabot github-actions
ecosystem directories list.

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman added the changelog-ignore do not add a entry for this when generating the changelog label May 8, 2026
@wagoodman wagoodman merged commit d2e3d84 into main May 8, 2026
8 checks passed
@wagoodman wagoodman deleted the remediate-audit branch May 8, 2026 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

changelog-ignore do not add a entry for this when generating the changelog

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant