vpnhide

mirror of https://github.com/okhsunrog/vpnhide.git synced 2026-04-28 06:31:27 +00:00

History

okhsunrog cd46097991 ci: narrow workflow contents permission to read; grant write only on release Workflow-level `contents: write` was granted to every job — lint, zygisk build, lsposed build, portshide build, kmod matrix — even though only the release job needs it (to create the draft GitHub release via softprops/action-gh-release@v2). Tighten to the least-privilege default of `contents: read` at the workflow level and override with `permissions: contents: write` on the release job alone. Reduces blast radius if any of the lint/build jobs ever runs untrusted code from a PR.	2026-04-26 16:04:43 +03:00
..
docker/ci	ci: export ANDROID_NDK_ROOT for Gobley plugin	2026-04-26 04:41:24 +03:00
workflows	ci: narrow workflow contents permission to read; grant write only on release	2026-04-26 16:04:43 +03:00

okhsunrog cd46097991 ci: narrow workflow contents permission to read; grant write only on release

Workflow-level `contents: write` was granted to every job — lint,
zygisk build, lsposed build, portshide build, kmod matrix — even
though only the release job needs it (to create the draft GitHub
release via softprops/action-gh-release@v2). Tighten to the
least-privilege default of `contents: read` at the workflow level
and override with `permissions: contents: write` on the release job
alone. Reduces blast radius if any of the lint/build jobs ever runs
untrusted code from a PR.

2026-04-26 16:04:43 +03:00

docker/ci

ci: export ANDROID_NDK_ROOT for Gobley plugin

2026-04-26 04:41:24 +03:00

workflows

ci: narrow workflow contents permission to read; grant write only on release

2026-04-26 16:04:43 +03:00