fix permissions

anthony-nhs · anthony-nhs · commit 2685c974bd02 · 2026-04-01T17:08:02.000Z
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -7,10 +7,14 @@ on:
 env:
   BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
 
+permissions: {}
 jobs:
   dependabot-auto-approve-and-merge:
     needs: quality_checks
     uses: ./.github/workflows/dependabot-auto-approve-and-merge.yml
+    permissions:
+      contents: write
+      pull-requests: write
     secrets:
       AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
@@ -20,12 +24,19 @@ jobs:
 
   get_config_values:
     uses: ./.github/workflows/get-repo-config.yml
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
     with:
       verify_published_from_main_image: false
 
   quality_checks:
     uses: ./.github/workflows/quality-checks-devcontainer.yml
     needs: [get_config_values]
+    permissions:
+      contents: read
+      id-token: write
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     secrets:
diff --git a/.github/workflows/quality-checks-devcontainer.yml b/.github/workflows/quality-checks-devcontainer.yml
@@ -24,7 +24,9 @@ on:
       pinned_image:
         type: string
         required: true
-
+permissions:
+  contents: read
+  id-token: write
 jobs:
   quality_checks:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,12 +7,20 @@ on:
 env:
   BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }}
 
+permissions: {}
 jobs:
   get_config_values:
     uses: ./.github/workflows/get-repo-config.yml
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
   quality_checks:
     needs: [get_config_values]
     uses: ./.github/workflows/quality-checks-devcontainer.yml
+    permissions:
+      contents: read
+      id-token: write
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     secrets:
diff --git a/zizmor.yml b/zizmor.yml
@@ -11,14 +11,3 @@ rules:
     ignore:
       - quality-checks-devcontainer.yml
       - tag-release-devcontainer.yml
-  excessive-permissions:
-    # these are possible excessive permissions but need time to work out if they are actually excessive or not
-    ignore:
-      - pull_request.yml:1:1
-      - pull_request.yml:11:3
-      - pull_request.yml:18:3
-      - pull_request.yml:21:3
-      - pull_request.yml:26:3
-      - release.yml:1:1
-      - release.yml:11:3
-      - release.yml:13:3
