From 3ca13062eed059c53f808f7c02767a0a53592793 Mon Sep 17 00:00:00 2001
From: Shaan Majid <70789625+shaanmajid@users.noreply.github.com>
Date: Fri, 3 Apr 2026 11:13:11 +0000
Subject: [PATCH] ci: narrow workflow permissions to least privilege (#10637)

Co-authored-by: Jay <jasonsaayman@gmail.com>
---
 .github/workflows/release-branch.yml | 6 ++++--
 .github/workflows/run-ci.yml         | 1 -
 .github/zizmor.yml                   | 5 -----
 3 files changed, 4 insertions(+), 8 deletions(-)
 delete mode 100644 .github/zizmor.yml

diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml
index 3300e557..b9b72f03 100644
--- a/.github/workflows/release-branch.yml
+++ b/.github/workflows/release-branch.yml
@@ -17,8 +17,7 @@ on:
         default: false
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   build-and-run-vitest:
@@ -194,6 +193,9 @@ jobs:
     name: Bump version and create PR
     needs: [build-and-run-vitest, cjs-smoke-tests, esm-smoke-tests]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/run-ci.yml b/.github/workflows/run-ci.yml
index 05978c44..67b2ccb0 100644
--- a/.github/workflows/run-ci.yml
+++ b/.github/workflows/run-ci.yml
@@ -6,7 +6,6 @@ on:
 
 permissions:
   contents: read
-  security-events: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
deleted file mode 100644
index 6de13857..00000000
--- a/.github/zizmor.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-rules:
-  excessive-permissions:
-    # TODO: audit and narrow permissions across all workflows
-    disable: true
-