Merge pull request #294 from smallstep/carl/remove-workflow-call-permissions

Remove job-level permissions from workflow_call-only workflows

Author: tashian

.github/workflows/codeql-analysis.yml

@@ -27,10 +27,6 @@ jobs:
   codeql-analyze:
     name: CodeQL Analyze
     runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
     strategy:
       fail-fast: false
       matrix:

.github/workflows/frizbee.yml

@@ -6,8 +6,6 @@ jobs:
   frizbee:
     name: Check action pinning
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.github/workflows/goCI.yml

@@ -1,6 +1,3 @@
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -123,10 +120,6 @@ jobs:
 
   codeql:
     if: inputs.run-codeql
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
     uses: ./.github/workflows/codeql-analysis.yml
     with:
       goprivate: ${{ inputs.goprivate }}

.github/workflows/zizmor.yml

@@ -11,9 +11,6 @@ jobs:
   zizmor:
     name: Scan GitHub workflows
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      security-events: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.github/zizmor.yml

@@ -0,0 +1,6 @@
+rules:
+  excessive-permissions:
+    ignore:
+      # workflow_call-only: the caller controls the permission ceiling,
+      # so job-level permissions blocks are meaningless here.
+      - goCI.yml