Merge pull request #13382 from Turbo87/zizmor-workflow-fixes

Turbo87 · web-flow · commit 9018dd247c53 · 2026-04-12T20:57:38.000+02:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -338,7 +338,7 @@ jobs:
     needs: filter-jobs
     if: needs.filter-jobs.outputs.zizmor == 'true'
     permissions:
-      security-events: write
+      security-events: write  # needed by `codeql-action/upload-sarif` to upload zizmor results to GitHub code scanning
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-24.04
 
     permissions:
-      id-token: write
+      id-token: write  # needed by `crates-io-auth-action` to mint an OIDC token for Trusted Publishing
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/update-cdn-ip-ranges.yml b/.github/workflows/update-cdn-ip-ranges.yml
@@ -13,8 +13,7 @@ on:
   schedule:
     - cron: "42 * * * *"
 
-permissions:
-  contents: write
+permissions: {}
 
 concurrency:
   group: update-cdn-ip-ranges
@@ -27,12 +26,15 @@ jobs:
   run:
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'rust-lang' }}
+    permissions:
+      contents: write  # needed to `git push` the updated CDN IP ranges back to the `main` branch
+
     steps:
       - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         id: app-token
         with:
           app-id: ${{ vars.WORKFLOWS_CRATES_IO_APP_ID }}
-          private-key: ${{ secrets.WORKFLOWS_CRATES_IO_PRIVATE_KEY }}
+          private-key: ${{ secrets.WORKFLOWS_CRATES_IO_PRIVATE_KEY }}  # zizmor: ignore[secrets-outside-env] repository write access is already the effective boundary; an environment adds no meaningful protection
 
       - name: Get GitHub App User ID
         id: get-user-id
