From b9ed0091fae27b6288e5aa4014fb31df34f153c9 Mon Sep 17 00:00:00 2001 From: j7an Date: Thu, 28 May 2026 20:46:54 -0700 Subject: [PATCH 1/2] fix(release): narrow App token to contents:write --- .github/workflows/tag-release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml index f5ebc38..fbed3ea 100644 --- a/.github/workflows/tag-release.yml +++ b/.github/workflows/tag-release.yml @@ -91,6 +91,9 @@ jobs: with: client-id: ${{ vars.RELEASE_BOT_APP_ID }} private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }} + # Least privilege: read for checkout, write for Git Data API + # content/ref/tag operations (blobs, trees, commits, refs, tags). + permission-contents: write - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: From 7446e23c414f4b09fb9611dc00ad05de49aa3944 Mon Sep 17 00:00:00 2001 From: j7an Date: Thu, 28 May 2026 20:47:00 -0700 Subject: [PATCH 2/2] fix(security): disable flaky online audits in zizmor gate --- .github/workflows/security.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 604d922..4ce55df 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -29,3 +29,7 @@ jobs: with: min-severity: medium min-confidence: medium + # Online audits do cross-repo GitHub tag lookups; in CI the default + # repository-scoped GITHUB_TOKEN returns 401 for public actions + # (e.g. astral-sh/setup-uv). Keep this required gate deterministic. + online-audits: false