vpnhide

mirror of https://github.com/okhsunrog/vpnhide.git synced 2026-05-20 09:03:10 +00:00

History

okhsunrog cd46097991 ci: narrow workflow contents permission to read; grant write only on release Workflow-level `contents: write` was granted to every job — lint, zygisk build, lsposed build, portshide build, kmod matrix — even though only the release job needs it (to create the draft GitHub release via softprops/action-gh-release@v2). Tighten to the least-privilege default of `contents: read` at the workflow level and override with `permissions: contents: write` on the release job alone. Reduces blast radius if any of the lint/build jobs ever runs untrusted code from a PR.	2026-04-26 16:04:43 +03:00
..
ci-image.yml	Simpler approach to lowercasing	2026-04-21 18:32:28 +03:00
ci.yml	ci: narrow workflow contents permission to read; grant write only on release	2026-04-26 16:04:43 +03:00

okhsunrog cd46097991 ci: narrow workflow contents permission to read; grant write only on release

Workflow-level `contents: write` was granted to every job — lint,
zygisk build, lsposed build, portshide build, kmod matrix — even
though only the release job needs it (to create the draft GitHub
release via softprops/action-gh-release@v2). Tighten to the
least-privilege default of `contents: read` at the workflow level
and override with `permissions: contents: write` on the release job
alone. Reduces blast radius if any of the lint/build jobs ever runs
untrusted code from a PR.

2026-04-26 16:04:43 +03:00

ci-image.yml

Simpler approach to lowercasing

2026-04-21 18:32:28 +03:00

ci.yml

ci: narrow workflow contents permission to read; grant write only on release

2026-04-26 16:04:43 +03:00