ci: scope permissions per-job + suppress vouch dangerous-triggers

nicktrn · nicktrn · commit 2464ddfbbb18 · 2026-05-01T18:41:13.000+01:00
diff --git a/.github/workflows/pr_checks.yml b/.github/workflows/pr_checks.yml
@@ -15,7 +15,6 @@ concurrency:
 
 permissions:
   contents: read
-  id-token: write
 
 jobs:
   typecheck:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -37,8 +37,6 @@ on:
       - "tests/**"
 
 permissions:
-  id-token: write
-  packages: write
   contents: read
 
 concurrency:
@@ -58,20 +56,31 @@ jobs:
 
   publish-webapp:
     needs: [typecheck]
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     uses: ./.github/workflows/publish-webapp.yml
     secrets: inherit
     with:
       image_tag: ${{ inputs.image_tag }}
 
   publish-worker:
     needs: [typecheck]
+    permissions:
+      contents: read
+      packages: write
     uses: ./.github/workflows/publish-worker.yml
     secrets: inherit
     with:
       image_tag: ${{ inputs.image_tag }}
 
   publish-worker-v4:
     needs: [typecheck]
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     uses: ./.github/workflows/publish-worker-v4.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -33,6 +33,7 @@ jobs:
   show-release-summary:
     name: 📋 Release Summary
     runs-on: ubuntu-latest
+    permissions: {}
     if: |
       github.repository == 'triggerdotdev/trigger.dev' &&
       github.event_name == 'pull_request' &&
@@ -164,6 +165,10 @@ jobs:
     name: 🐳 Publish Docker images
     needs: release
     if: needs.release.outputs.published == 'true'
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     uses: ./.github/workflows/publish.yml
     secrets: inherit
     with:
@@ -233,6 +238,7 @@ jobs:
     needs: [release, update-release]
     if: needs.release.outputs.published == 'true'
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:
diff --git a/.github/workflows/vouch-check-pr.yml b/.github/workflows/vouch-check-pr.yml
@@ -1,17 +1,18 @@
 name: Vouch - Check PR
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] vouch needs to comment on fork PRs
     types: [opened, reopened]
 
-permissions:
-  contents: read
-  pull-requests: write
-  issues: read
+permissions: {}
 
 jobs:
   check-vouch:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write # auto-close unvouched PRs
+      issues: read
     steps:
       - uses: mitchellh/vouch/action/check-pr@c6d80ead49839655b61b422700b7a3bc9d0804a9 # v1.4.2
         with:
@@ -23,6 +24,8 @@ jobs:
 
   require-draft:
     needs: check-vouch
+    permissions:
+      pull-requests: write # close non-draft PRs with a comment
     if: >
       github.event.pull_request.draft == false &&
       github.event.pull_request.author_association != 'MEMBER' &&
