excessive-permissions: add missing known permissions

Signed-off-by: William Woodruff <william@yossarian.net>
2025-12-23 08:47:33 +00:00 · 2025-12-18 23:10:32 -05:00 · 2025-12-18 23:10:32 -05:00 · 8a6e902d90
commit 8a6e902d90
parent 1a6a008951
1 changed files with 3 additions and 0 deletions
--- a/crates/zizmor/src/audit/excessive_permissions.rs
+++ b/crates/zizmor/src/audit/excessive_permissions.rs
@ -14,6 +14,7 @@ use crate::{
 static KNOWN_PERMISSIONS: LazyLock<HashMap<&str, Severity>> = LazyLock::new(|| {
    [
        ("actions", Severity::High),
+        ("artifact-metadata", Severity::Medium),
        ("attestations", Severity::High),
        ("checks", Severity::Medium),
        ("contents", Severity::High),
@ -21,6 +22,8 @@ static KNOWN_PERMISSIONS: LazyLock<HashMap<&str, Severity>> = LazyLock::new(|| {
        ("discussions", Severity::Medium),
        ("id-token", Severity::High),
        ("issues", Severity::High),
+        // What does the write permission even do here?
+        ("models", Severity::Low),
        ("packages", Severity::High),
        ("pages", Severity::High),
        ("pull-requests", Severity::High),