From d3db5b19b844ea970ffb37576acc5b012ad0a02b Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Mon, 15 Jun 2026 20:36:11 +0200 Subject: [PATCH] ci: scope stale-repos App token to least privilege (zizmor github-app) The create-github-app-token step set no permission-* inputs, so the installation token inherited blanket permissions (zizmor github-app). Scope it to what the workflow needs: contents:read + pull-requests:read (stale-repos activity/PR/release metrics) and issues:write (the report issue). Co-Authored-By: Claude Fable 5 --- .github/workflows/stale-repository-identifier.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/stale-repository-identifier.yaml b/.github/workflows/stale-repository-identifier.yaml index fa8dc41..6ed18e2 100644 --- a/.github/workflows/stale-repository-identifier.yaml +++ b/.github/workflows/stale-repository-identifier.yaml @@ -20,6 +20,12 @@ jobs: with: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} + # Least-privilege scope (zizmor github-app): without these the token + # inherits all of the App's installation permissions. stale-repos only + # reads repo/PR/release activity and opens a report issue. + permission-contents: read + permission-pull-requests: read + permission-issues: write - name: 📑 Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2