-
|
with zizmor 1.2.1 i am seeing this warning [src\registry.rs:102:63] pfx = "."
warning[excessive-permissions]: overly broad permissions
--> .github/workflows\ci-alpine-release.yml:12:3
|
12 | / release:
13 | | runs-on: ubuntu-24.04
... |
108 | | allowUpdates: true
109 | | token: "${{ github.TOKEN }}"
| | -
| |_______________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → MediumFrom this warning https://woodruffw.github.io/zizmor/audits/#excessive-permissions But this is a reusable workflow. My permissions are defined in the parent calling it. ci-alpine-release:
needs: [ci-alpine-build]
if: always() && github.event.inputs.release == 'true' && contains(needs.*.result, 'success') && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled')
concurrency:
group: ci-alpine-release
cancel-in-progress: true
permissions:
contents: write
uses: ./.github/workflows/ci-alpine-release.yml
with:
distinct_id: ${{ github.event.inputs.distinct_id }}I think this is a false positive? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Ah yep, that looks like a FP -- I made the Could you file a bug for that, with a full reproducer? I'll need to think a bit about how best to handle that, since the lack of an explicit permissions block will mean different things if the reusable workflow has both |
Beta Was this translation helpful? Give feedback.
-
|
Ok, i'll do that now |
Beta Was this translation helpful? Give feedback.
Ah yep, that looks like a FP -- I made the
excessive-permissionsaudit more general with this past release, but it looks like it doesn't adequately handle the reusable workflow "permissions from the caller" case.Could you file a bug for that, with a full reproducer? I'll need to think a bit about how best to handle that, since the lack of an explicit permissions block will mean different things if the reusable workflow has both
workflow_calland other triggers.