smallstep · azazeal · May 20, 2026 · May 20, 2026 · May 20, 2026 · May 20, 2026
@@ -3,9 +3,10 @@ root = true
 [*]
 charset = utf-8
 end_of_line = lf
-insert_final_newline = true
-indent_style = tab
 indent_size = 4
+indent_style = tab
+insert_final_newline = true
+tab_width = unset
 trim_trailing_whitespace = true
 
 [*.yml]

@@ -31,11 +31,17 @@ jobs:
     uses: ./.github/workflows/frizbee.yml
     if: inputs.run-frizbee
 
+  # NOTE(@azazeal): callers that set run-zizmor: true (the default) must also
+  # grant actions: read and security-events: write to the job that calls
+  # actionci.yml. Reusable workflows cannot be granted more than the caller has.
+  #
+  # ref: https://docs.github.com/en/actions/reference/reusable-workflows-reference
   zizmor:
     uses: ./.github/workflows/zizmor.yml
     if: inputs.run-zizmor
     with:
       advanced-security: ${{ inputs.zizmor-advanced-security }}
     permissions:
       contents: read
+      actions: read
       security-events: write
@@ -2,6 +2,9 @@ name: Lint GitHub Actions workflows
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   actionlint:
     name: Lint GitHub workflows

@@ -23,6 +23,7 @@ jobs:
     uses: ./.github/workflows/actionci.yml
     permissions:
       contents: read
+      actions: read
       security-events: write
 
   lint-dummy-app: # NOTE(@azazeal): this check is here to verify that .golangci.yml is valid

@@ -10,18 +10,18 @@ on:
       build-cmd:
         required: false
         type: string
-        default: 'V=1 make build'
+        default: "V=1 make build"
       build-mode:
         required: false
         type: string
-        default: ''
+        default: ""
       make-bootstrap:
         required: false
         type: boolean
       goprivate:
         required: false
         type: string
-        default: go.step.sm,github.com/smallstep
+        default: go.step.sm/,github.com/smallstep/
       os-dependencies:
         required: false
         type: string
@@ -31,14 +31,18 @@ on:
       PAT:
         required: false
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   codeql-analyze:
     name: CodeQL Analyze
     runs-on: ${{ inputs.runs-on }}
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'go' ]
+        language: ["go"]
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
     env:
@@ -77,10 +81,10 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
-          go-version: 'stable'
+          go-version: "stable"
           check-latest: true
           cache: true
-          cache-dependency-path: '**/go.sum'
+          cache-dependency-path: "**/go.sum"
       - name: Setup SSH key for private dependencies
         uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
         env:

@@ -13,8 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     permissions:
-      contents: write
-      pull-requests: write
+      pull-requests: read
     steps:
       - name: Dependabot metadata
         id: metadata

@@ -35,7 +35,7 @@ jobs:
     runs-on: ${{ inputs.runs_on }}
     permissions:
       id-token: write
-      contents: write
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

@@ -3,6 +3,8 @@ name: Frizbee pinning check
 on:
   workflow_call:
 
+permissions: {}
+
 jobs:
   frizbee:
     name: frizbee

@@ -8,7 +8,7 @@ on:
       build-command:
         required: false
         type: string
-        default: 'V=1 make build'
+        default: "V=1 make build"
       os-dependencies:
         required: false
         type: string
@@ -19,13 +19,16 @@ on:
       goprivate:
         required: false
         type: string
-        default: go.step.sm,github.com/smallstep
+        default: go.step.sm/,github.com/smallstep/
     secrets:
       SSH_PRIVATE_KEY:
         required: false
       PAT:
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   set-go-matrix:
     runs-on: ubuntu-latest
@@ -97,7 +100,7 @@ jobs:
           go-version: ${{ matrix.go }}
           check-latest: true
           cache: true
-          cache-dependency-path: '**/go.sum'
+          cache-dependency-path: "**/go.sum"
       - name: Setup SSH key for private dependencies
         uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
         env:

@@ -4,82 +4,82 @@ on:
       build-command:
         required: false
         type: string
-        default: 'V=1 make build'
+        default: "V=1 make build"
       codeql-build-cmd:
         required: false
         type: string
-        default: 'V=1 make build'
+        default: "V=1 make build"
       codeql-build-mode:
         required: false
         type: string
-        default: ''
+        default: ""
       codeql-make-bootstrap:
         required: false
         type: boolean
       runs-on:
         required: false
         type: string
-        default: ''
+        default: ""
       build-runs-on:
         required: false
         type: string
-        default: ''
+        default: ""
       codeql-runs-on:
         required: false
         type: string
-        default: ''
+        default: ""
       govulncheck-runs-on:
         required: false
         type: string
-        default: ''
+        default: ""
       lint-runs-on:
         required: false
         type: string
-        default: ''
+        default: ""
       test-runs-on:
         required: false
         type: string
-        default: ''
+        default: ""
       golangci-lint-version:
         required: false
         type: string
         default: latest
       golangci-lint-args:
         required: false
         type: string
-        default: '--timeout=30m'
+        default: "--timeout=30m"
       goprivate:
         required: false
         type: string
-        default: go.step.sm,github.com/smallstep
+        default: go.step.sm/,github.com/smallstep/
       only-latest-golang:
         required: false
         type: boolean
         default: true
       os-dependencies:
         required: false
         type: string
-        default: ''
+        default: ""
       build-os-dependencies:
         required: false
         type: string
-        default: ''
+        default: ""
       codeql-os-dependencies:
         required: false
         type: string
-        default: ''
+        default: ""
       govulncheck-os-dependencies:
         required: false
         type: string
-        default: ''
+        default: ""
       lint-os-dependencies:
         required: false
         type: string
-        default: ''
+        default: ""
       test-os-dependencies:
         required: false
         type: string
-        default: ''
+        default: ""
       run-actionlint:
         required: false
         type: boolean
@@ -115,7 +115,7 @@ on:
       test-command:
         required: false
         type: string
-        default: 'gotestsum -- -coverpkg=./... -coverprofile=coverage.out -covermode=atomic ./...'
+        default: "gotestsum -- -coverpkg=./... -coverprofile=coverage.out -covermode=atomic ./..."
       lint-skip-go-generate:
         required: false
         type: boolean
@@ -133,7 +133,6 @@ on:
         required: false
 
 jobs:
-
   lint:
     uses: ./.github/workflows/goLint.yml
     if: inputs.run-lint
@@ -160,6 +159,11 @@ jobs:
       SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
       PAT: ${{ secrets.PAT }}
 
+  # NOTE(@azazeal): callers that set run-codeql: true must also grant
+  # security-events: write to the job that calls goCI.yml. Reusable workflows
+  # cannot be granted more than the caller has.
+  #
+  # ref: https://docs.github.com/en/actions/reference/reusable-workflows-reference
   codeql:
     if: inputs.run-codeql
     uses: ./.github/workflows/codeql-analysis.yml
@@ -170,6 +174,9 @@ jobs:
       make-bootstrap: ${{ inputs.codeql-make-bootstrap }}
       build-cmd: ${{ inputs.codeql-build-cmd }}
       build-mode: ${{ inputs.codeql-build-mode }}
+    permissions:
+      contents: read
+      security-events: write
     secrets:
       SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
       PAT: ${{ secrets.PAT }}

@@ -11,15 +11,15 @@ on:
       goprivate:
         required: false
         type: string
-        default: go.step.sm,github.com/smallstep
+        default: go.step.sm/,github.com/smallstep/
       golangci-lint-version:
         required: false
         type: string
         default: latest
       golangci-lint-args:
         required: false
         type: string
-        default: '--timeout=30m'
+        default: "--timeout=30m"
       skip-go-generate:
         required: false
         type: boolean
@@ -34,6 +34,9 @@ on:
       PAT:
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ${{ inputs.runs-on }}
@@ -78,7 +81,7 @@ jobs:
           go-version-file: go.mod
           check-latest: true
           cache: true
-          cache-dependency-path: '**/go.sum'
+          cache-dependency-path: "**/go.sum"
 
       - name: Setup SSH key for private dependencies
         uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
@@ -119,7 +122,7 @@ jobs:
         if: success() || failure() # run this step even if the previous one failed
         with:
           version: ${{ inputs.golangci-lint-version }}
-          args: '${{ steps.configure-linter.outputs.extra-args }} ${{ inputs.golangci-lint-args }}'
+          args: "${{ steps.configure-linter.outputs.extra-args }} ${{ inputs.golangci-lint-args }}"
           verify: true
 
       - name: Run go generate