CI: remove unused "permissions: packages: write"

biergaizi · biergaizi · commit e96d9d3079fb · 2026-01-25T18:17:44.000Z
The option "permissions: packages: write" was used to enable NuGet
repository for vcpkg caching, but eventually this caching method
was not used due to my security concerns of cache poisoning. It's
unclear whether a third-party contributor can write arbitrary
packages to the NuGet repository. Thus, regular GitHub file caching
via "actions/cache" was used (which is isolated per branch, by
default, it's not possible to overwrite the trusted "master" branch
caching just by opening a PR).

Remove unused "permissions: packages: write".

Signed-off-by: Yifeng Li &lt;tomli@tomli.me&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -815,10 +815,6 @@ jobs:
       VCPKG_ASSET_CACHE_PATH: "${{ github.workspace }}/vcpkg-cache/asset"
       X_VCPKG_ASSET_SOURCES: "x-azurl,file://${{ github.workspace }}/vcpkg-cache/asset,readwrite"
 
-    # allow this job to create and modify vcpkg packages for binary cache
-    permissions:
-      packages: write
-
     name: "Windows (${{ matrix.toolchain.name }}, latest)"
 
     steps:
