Merge pull request #1537 from crazy-max/zizmor-fixes

crazy-max · web-flow · commit e46f50c06eea · 2026-05-21T14:57:22.000+02:00
ci: restrict update-dist GitHub App token scope
diff --git a/.github/workflows/update-dist.yml b/.github/workflows/update-dist.yml
@@ -26,6 +26,8 @@ jobs:
           app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
           private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
           owner: docker
+          repositories: build-push-action
+          permission-contents: write
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,8 @@ jobs:`
`26`	`26`	`app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}`
`27`	`27`	`private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}`
`28`	`28`	`owner: docker`
	`29`	`+ repositories: build-push-action`
	`30`	`+ permission-contents: write`
`29`	`31`	`-`
`30`	`32`	`name: Checkout`
`31`	`33`	`uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2`