ci: add permission comments and remove redundant comments from workflows (#1985)

hrzlgnm · web-flow · commit 2ea9647ed70a · 2026-03-08T12:41:12.000Z
diff --git a/.github/workflows/asset-checksums-reusable.yml b/.github/workflows/asset-checksums-reusable.yml
@@ -14,9 +14,6 @@ on:
         type: string
         required: false
 
-permissions:
-  contents: write
-
 jobs:
   tag:
     name: Tag
diff --git a/.github/workflows/aur-reusable.yml b/.github/workflows/aur-reusable.yml
@@ -12,7 +12,7 @@ on:
 jobs:
   release-info:
     permissions:
-      packages: read
+      packages: read # needed to read release info from GitHub Packages
     runs-on: ubuntu-slim
     outputs:
       version: ${{ steps.version.outputs.version }}
@@ -30,8 +30,6 @@ jobs:
   update-aur:
     needs:
       - release-info
-    permissions:
-      packages: read
     runs-on: ubuntu-latest
     container:
       image: ghcr.io/hrzlgnm/mdns-browser-arch-aur-builder:v1@sha256:d06a3c63493066b249b3bdb8b0e503a0936eecaa06259c94a5f466e7a08135d5
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -31,9 +31,9 @@ jobs:
     if: github.event_name == 'pull_request'
     name: "🏷️ Label PR"
     permissions:
-      contents: read # Needed to read repository contents
-      pull-requests: write # Needed to apply labels
-      issues: write # Needed to create non existing labels
+      contents: read # needed to read repository contents for labeler config
+      pull-requests: write # needed to apply labels to PRs
+      issues: write # needed to create non-existing labels
     runs-on: ubuntu-slim
 
     steps:
@@ -159,7 +159,7 @@ jobs:
     needs: changes
     if: needs.changes.outputs.tauri == 'true' || needs.changes.outputs.android == 'true'
     permissions:
-      contents: write
+      contents: write # needed to upload build artifacts
     uses: ./.github/workflows/android-reusable.yml
     secrets: inherit
     with:
@@ -170,7 +170,7 @@ jobs:
     needs: changes
     if: needs.changes.outputs.tauri == 'true' || needs.changes.outputs.desktop == 'true'
     permissions:
-      contents: write
+      contents: write # needed to upload build artifacts
     uses: ./.github/workflows/desktop-reusable.yml
     secrets: inherit
     with:
@@ -191,8 +191,8 @@ jobs:
     needs: changes
     if: needs.changes.outputs.docker == 'true'
     permissions:
-      contents: read
-      packages: write # Needed to push to GHCR
+      contents: read # needed to checkout code for docker build
+      packages: write # needed to push to GHCR
 
     uses: hrzlgnm/actions/.github/workflows/docker-reusable.yml@292498dae084d4097c6dea750cf8b23f865a83eb # v2.0.4
     with:
diff --git a/.github/workflows/publish-sbom-reusable.yml b/.github/workflows/publish-sbom-reusable.yml
@@ -10,10 +10,6 @@ on:
         type: string
         required: false
 
-permissions:
-  contents: write
-  actions: read
-
 jobs:
   tag:
     name: Tag
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -176,10 +176,10 @@ jobs:
     needs: [bump_version, create_prerelease]
     if: (inputs.create-release && !inputs.dry-run)
     permissions:
-      id-token: write
-      attestations: write
-      contents: write
-      actions: read
+      id-token: write # needed for OIDC token for attestation
+      attestations: write # needed to create build attestations
+      contents: write # needed to upload build artifacts
+      actions: read # needed to download workflow artifacts
     name: 🔨 Build Android
     uses: ./.github/workflows/android-reusable.yml
     secrets: inherit
@@ -190,10 +190,10 @@ jobs:
     needs: [bump_version, create_prerelease]
     if: (inputs.create-release && !inputs.dry-run)
     permissions:
-      id-token: write
-      attestations: write
-      contents: write
-      actions: read
+      id-token: write # needed for OIDC token for attestation
+      attestations: write # needed to create build attestations
+      contents: write # needed to upload build artifacts
+      actions: read # needed to download workflow artifacts
     name: 🔨 Build Desktop
     uses: ./.github/workflows/desktop-reusable.yml
     secrets: inherit
@@ -204,10 +204,10 @@ jobs:
     needs: [bump_version, create_prerelease, source_checksums]
     if: (inputs.create-release && !inputs.dry-run)
     permissions:
-      id-token: write
-      attestations: write
-      contents: write
-      actions: read
+      id-token: write # needed for OIDC token for attestation
+      attestations: write # needed to create build attestations
+      contents: write # needed to upload build artifacts
+      actions: read # needed to download workflow artifacts
     name: 🔨 Build Void
     uses: ./.github/workflows/void-reusable.yml
     secrets: inherit
diff --git a/.github/workflows/source-checksums-reusable.yml b/.github/workflows/source-checksums-reusable.yml
@@ -14,9 +14,6 @@ on:
         type: string
         required: false
 
-permissions:
-  contents: write
-
 jobs:
   tag:
     name: Tag
diff --git a/.github/workflows/winget-reusable.yml b/.github/workflows/winget-reusable.yml
@@ -11,6 +11,8 @@ on:
 
 jobs:
   publish:
+    permissions:
+      contents: read # needed to checkout repository for release info
     runs-on: ubuntu-latest
     steps:
       - name: 🔄 Checkout
