From: Viktor Szakats <commit@vsz.me>
Date: Sat, 13 Sep 2025 15:20:22 +0000 (+0200)
Subject: GHA: document permissions as required by zizmor 1.13.0
X-Git-Tag: rc-8_17_0-2~510
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=83c457f9f3244544c4f0f13051cd00e637c6de88;p=thirdparty%2Fcurl.git

GHA: document permissions as required by zizmor 1.13.0

Ref: https://github.com/zizmorcore/zizmor/pull/1131
Ref: https://docs.zizmor.sh/audits/#undocumented-permissions

Bug: https://github.com/curl/curl/pull/18539#issuecomment-3288151910

Closes #18541
---

diff --git a/.github/workflows/appveyor-status.yml b/.github/workflows/appveyor-status.yml
index cb7f96b190..5269f3ca65 100644
--- a/.github/workflows/appveyor-status.yml
+++ b/.github/workflows/appveyor-status.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.sender.login == 'appveyor[bot]' }}
     permissions:
-      statuses: write
+      statuses: write  # To update build statuses
     steps:
       - name: 'Create individual AppVeyor build statuses'
         if: ${{ github.event.sha && github.event.target_url }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0952eb3d1d..ff2e91c32a 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -45,7 +45,7 @@ jobs:
     name: 'GHA and Python'
     runs-on: ubuntu-latest
     permissions:
-      security-events: write
+      security-events: write  # To create/update security events
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
@@ -64,7 +64,7 @@ jobs:
     name: 'C'
     runs-on: ubuntu-latest
     permissions:
-      security-events: write
+      security-events: write  # To create/update security events
     steps:
       - name: 'install prereqs'
         timeout-minutes: 5
diff --git a/.github/workflows/hacktoberfest-accepted.yml b/.github/workflows/hacktoberfest-accepted.yml
index 916b354481..3aacbd6d0c 100644
--- a/.github/workflows/hacktoberfest-accepted.yml
+++ b/.github/workflows/hacktoberfest-accepted.yml
@@ -23,9 +23,8 @@ jobs:
     name: 'Add hacktoberfest-accepted label'
     runs-on: ubuntu-latest
     permissions:
-      # requires issues AND pull-requests write permissions to edit labels on PRs!
-      issues: write
-      pull-requests: write
+      issues: write          # To edit labels on PRs
+      pull-requests: write   # To edit labels on PRs
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
index b84702a8a1..cfafde14f7 100644
--- a/.github/workflows/label.yml
+++ b/.github/workflows/label.yml
@@ -19,8 +19,8 @@ jobs:
     name: 'Labeler'
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      pull-requests: write
+      contents: read        # To comply with https://github.com/actions/labeler documentation
+      pull-requests: write  # To edit labels on PRs
 
     steps:
       - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6