vrr/vpnhide
2
0
Fork 0
mirror of https://github.com/okhsunrog/vpnhide.git synced 2026-04-28 06:31:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

ci: narrow workflow contents permission to read; grant write only on release

Browse source 
Workflow-level `contents: write` was granted to every job — lint,
zygisk build, lsposed build, portshide build, kmod matrix — even
though only the release job needs it (to create the draft GitHub
release via softprops/action-gh-release@v2). Tighten to the
least-privilege default of `contents: read` at the workflow level
and override with `permissions: contents: write` on the release job
alone. Reduces blast radius if any of the lint/build jobs ever runs
untrusted code from a PR.
This commit is contained in:
okhsunrog 2026-04-26 15:48:19 +03:00
parent 91204f596a
commit cd46097991
1 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.github/workflows/ci.yml vendored
View file

@ -8,7 +8,7 @@ on:
workflow_dispatch:
permissions:
contents: write
contents: read
packages: read
jobs:
@ -260,6 +260,11 @@ jobs:
needs: [kmod, zygisk, lsposed, portshide]
if: startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
# Only the release job needs write — used by softprops/action-gh-release
# below to create the draft GitHub release. lint/build jobs run on the
# workflow-level `contents: read`.
permissions:
contents: write
steps:
- uses: actions/checkout@v6
with: