Merge pull request #398 from crazy-max/release-fix-perms2

crazy-max · web-flow · commit c5df610f9a64 · 2026-04-07T22:49:23.000+02:00
stop downgrading reusable workflow permissions
diff --git a/.github/workflows/.build.yml b/.github/workflows/.build.yml
@@ -1,9 +1,6 @@
 # reusable workflow
 name: .build
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/.pkgs.yml b/.github/workflows/.pkgs.yml
@@ -1,9 +1,6 @@
 # reusable workflow
 name: .pkgs
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     outputs:
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -1,3 +1,10 @@
 rules:
+  # rule does not apply to reusable worfklows where permissions are defined by
+  # the caller workflow and not the reusable workflow itself
+  excessive-permissions:
+    ignore:
+      - .build.yml
+      - .pkgs.yml
+
   secrets-outside-env: # FIXME: remove this rule when zizmor 1.24.0 is released, fixing the right persona attached to this rule: https://github.com/zizmorcore/zizmor/pull/1783
     disable: true
