Summary
The default branch already hardened .github/workflows/bazel.yml against the issue(s) below, but 4 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
excessive-permissions — workflow/job granted broader permissions than needed
Already resolved on the default branch in:
Affected release branches (4)
release-5.4.0 (still present as of HEAD b5da00ad)
release-5.3.4 (still present as of HEAD 63d20eb9)
release-5.3.3 (still present as of HEAD 29d90a4f)
release-5.3.2 (still present as of HEAD 2baaf044)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-5.4.0 — excessive-permissions
File .github/workflows/bazel.yml; suggested edits:
-
- permissions.actions = 'write'
--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -21,3 +21,5 @@
run: bazel build --config=remote //...
- name: Run Tests
run: bazel test --config=remote //...
+permissions:
+ actions: write
release-5.3.4 — excessive-permissions
File .github/workflows/bazel.yml; suggested edits:
-
- permissions.actions = 'write'
--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -21,3 +21,5 @@
run: bazel build --config=remote //...
- name: Run Tests
run: bazel test --config=remote //...
+permissions:
+ actions: write
release-5.3.3 — excessive-permissions
File .github/workflows/bazel.yml; suggested edits:
-
- permissions.actions = 'write'
--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -21,3 +21,5 @@
run: bazel build --config=remote //...
- name: Run Tests
run: bazel test --config=remote //...
+permissions:
+ actions: write
release-5.3.2 — excessive-permissions
File .github/workflows/bazel.yml; suggested edits:
-
- permissions.actions = 'write'
--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -21,3 +21,5 @@
run: bazel build --config=remote //...
- name: Run Tests
run: bazel test --config=remote //...
+permissions:
+ actions: write
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/bazel.ymlagainst the issue(s) below, but 4 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
excessive-permissions— workflow/job granted broaderpermissionsthan neededAlready resolved on the default branch in:
Affected release branches (4)
release-5.4.0(still present as of HEADb5da00ad)release-5.3.4(still present as of HEAD63d20eb9)release-5.3.3(still present as of HEAD29d90a4f)release-5.3.2(still present as of HEAD2baaf044)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-5.4.0— excessive-permissionsFile
.github/workflows/bazel.yml; suggested edits:release-5.3.4— excessive-permissionsFile
.github/workflows/bazel.yml; suggested edits:release-5.3.3— excessive-permissionsFile
.github/workflows/bazel.yml; suggested edits:release-5.3.2— excessive-permissionsFile
.github/workflows/bazel.yml; suggested edits:Happy to open pull requests instead if that's preferred.