Cleanup of workflows for Zizmor compliance

Author: mandreko-bitwarden

.github/workflows/publish-python.yml

@@ -33,15 +33,19 @@ jobs:
     outputs:
       version: ${{ steps.version-output.outputs.version }}
       tag_name: ${{ steps.version-output.outputs.tag_name }}
+    env:
+      INPUTS: ${{ toJson(inputs) }}
     steps:
       - name: Log inputs to job summary
         run: |
-          echo "<details><summary>Job Inputs</summary>" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo '```json' >> $GITHUB_STEP_SUMMARY
-          echo '${{ toJson(inputs) }}' >> $GITHUB_STEP_SUMMARY
-          echo '```' >> $GITHUB_STEP_SUMMARY
-          echo "</details>" >> $GITHUB_STEP_SUMMARY
+          {
+            echo "<details><summary>Job Inputs</summary>"
+            echo ""
+            echo '```json'
+            echo "${INPUTS}"
+            echo '```'
+            echo "</details>"
+          } >> "$GITHUB_STEP_SUMMARY"
 
       - name: Checkout repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

.github/workflows/publish-ruby.yml

@@ -17,14 +17,14 @@ on:
         required: false
         default: "latest"
 
-permissions:
-  contents: read
-  id-token: write
+permissions: {}
 
 jobs:
   setup:
     name: Setup
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     outputs:
       release_version: ${{ steps.version-output.outputs.version }}
       tag_name: ${{ steps.version-output.outputs.tag_name }}
@@ -65,6 +65,9 @@ jobs:
   publish:
     name: Publish
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      id-token: write
     needs: setup
     env:
       _VERSION: ${{ needs.setup.outputs.release_version }}

.github/workflows/release-dotnet.yml

@@ -13,14 +13,14 @@ on:
           - Release
           - Dry Run
 
-permissions:
-  contents: write
-  actions: read
+permissions: {}
 
 jobs:
   setup:
     name: Setup
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     outputs:
       version: ${{ steps.version.outputs.version }}
     steps:
@@ -53,6 +53,9 @@ jobs:
   release:
     name: Create GitHub release
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      actions: read
     needs: setup
     steps:
       - name: Checkout Repository

.github/workflows/release-java.yml

@@ -13,14 +13,14 @@ on:
           - Release
           - Dry Run
 
-permissions:
-  contents: write
-  actions: read
+permissions: {}
 
 jobs:
   setup:
     name: Setup
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     outputs:
       version: ${{ steps.version.outputs.version }}
     steps:
@@ -48,6 +48,9 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      actions: read
     needs: setup
     steps:
       - name: Checkout Repository

.github/workflows/release-napi.yml

@@ -19,14 +19,14 @@ defaults:
     shell: bash
     working-directory: crates/bitwarden-napi
 
-permissions:
-  contents: write
-  actions: read
+permissions: {}
 
 jobs:
   setup:
     name: Setup
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     outputs:
       version: ${{ steps.version.outputs.version }}
     steps:
@@ -57,6 +57,9 @@ jobs:
   release:
     name: Create GitHub release
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      actions: read
     needs: setup
     steps:
       - name: Checkout Repository

.github/workflows/release-python.yml

@@ -13,14 +13,14 @@ on:
           - Release
           - Dry Run
 
-permissions:
-  contents: write
-  actions: read
+permissions: {}
 
 jobs:
   setup:
     name: Setup
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     outputs:
       version: ${{ steps.version.outputs.version }}
     steps:
@@ -48,6 +48,9 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      actions: read
     needs: setup
     steps:
       - name: Checkout repo

.github/workflows/release-ruby.yml

@@ -13,14 +13,14 @@ on:
           - Release
           - Dry Run
 
-permissions:
-  contents: write
-  actions: read
+permissions: {}
 
 jobs:
   setup:
     name: Setup
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     outputs:
       version: ${{ steps.version.outputs.version }}
     steps:
@@ -48,6 +48,9 @@ jobs:
   release:
     name: Create GitHub release
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      actions: read
     needs: setup
     steps:
       - name: Checkout Repository

.github/workflows/release-wasm.yml

@@ -17,14 +17,14 @@ defaults:
   run:
     working-directory: languages/js/wasm
 
-permissions:
-  contents: write
-  actions: read
+permissions: {}
 
 jobs:
   setup:
     name: Setup
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     outputs:
       release_version: ${{ steps.version.outputs.version }}
     steps:
@@ -55,6 +55,9 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      actions: read
     needs: setup
     steps:
       - name: Checkout repo

.github/workflows/rustdoc.yml

@@ -4,10 +4,7 @@ on:
   push:
     branches: ["main"]
 
-permissions:
-  contents: read
-  pages: write
-  id-token: write
+permissions: {}
 
 concurrency:
   group: "pages"
@@ -17,6 +14,8 @@ jobs:
   rustdoc:
     name: Rustdoc
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
@@ -44,6 +43,10 @@ jobs:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     needs: rustdoc
     name: Deploy
     steps: