GH Actions: set permissions for each workflow/job

jrfnl · jrfnl · commit 17206f504b67 · 2025-09-19T20:19:12.000+02:00
> Users frequently over-scope their workflow and job permissions, or set broad workflow-level permissions without realizing that all jobs inherit those permissions. > > Furthermore, users often don't realize that the _default_ `GITHUB_TOKEN` permissions can be very broad, meaning that workflows that don't configure any permissions at all can _still_ provide excessive credentials to their individual jobs. > > **Remediation** > In general, permissions should be declared as minimally as possible, and as close to their usage site as possible. > > In practice, this means that workflows should almost always set `permissions: {}` at the workflow level to disable all permissions by default, and then set specific job-level permissions as needed. Refs: * https://docs.zizmor.sh/audits/#excessive-permissions * https://github.com/GitHubSecurityLab/actions-permissions/tree/main/monitor
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -12,6 +12,8 @@ on:
   # Allow manually triggering the workflow.
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   xmllint:
     # Don't run the cron job on forks.
