From 7278d1e4ec7e583a92938bd3c3fa9b720dfbc11a Mon Sep 17 00:00:00 2001
From: Paco Aranda <frascuchon@gmail.com>
Date: Tue, 29 Oct 2024 17:10:38 +0100
Subject: [PATCH] [CI] Configure workflow permissions (#5648)

# Description
<!-- Please include a summary of the changes and the related issue.
Please also include relevant motivation and context. List any
dependencies that are required for this change. -->

Closes #<issue_number>

**Type of change**
<!-- Please delete options that are not relevant. Remember to title the
PR according to the type of change -->

- Bug fix (non-breaking change which fixes an issue)
- New feature (non-breaking change which adds functionality)
- Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- Refactor (change restructuring the codebase without changing
functionality)
- Improvement (change adding some improvement to an existing
functionality)
- Documentation update

**How Has This Been Tested**
<!-- Please add some reference about how your feature has been tested.
-->

**Checklist**
<!-- Please go over the list and make sure you've taken everything into
account -->

- I added relevant documentation
- I followed the style guidelines of this project
- I did a self-review of my code
- I made corresponding changes to the documentation
- I confirm My changes generate no new warnings
- I have added tests that prove my fix is effective or that my feature
works
- I have added relevant notes to the CHANGELOG.md file (See
https://keepachangelog.com/)
---
 .../argilla-frontend.build-push-dev-frontend-docker.yml     | 6 +++---
 .github/workflows/argilla-frontend.yml                      | 5 +++++
 .github/workflows/argilla-server.yml                        | 3 +++
 .github/workflows/argilla.docs.yml                          | 4 ++++
 .github/workflows/argilla.yml                               | 5 +++--
 .github/workflows/close-inactive-issues-bot.yml             | 4 ++++
 6 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/argilla-frontend.build-push-dev-frontend-docker.yml b/.github/workflows/argilla-frontend.build-push-dev-frontend-docker.yml
index d1c110a615..8f43c5cd93 100644
--- a/.github/workflows/argilla-frontend.build-push-dev-frontend-docker.yml
+++ b/.github/workflows/argilla-frontend.build-push-dev-frontend-docker.yml
@@ -62,8 +62,8 @@ jobs:
 
       - name: Build Frontend
         run: |
-            npm install
-            npm run build
+          npm install
+          npm run build
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
@@ -91,7 +91,7 @@ jobs:
       # Authenticate in GCP using Workload Identity Federation, so we can push the Docker image to the Google Cloud Artifact Registry
       - name: Authenticate to Google Cloud
         id: google-auth
-        uses: 'google-github-actions/auth@v1'
+        uses: "google-github-actions/auth@v1"
         with:
           token_format: access_token
           workload_identity_provider: ${{ secrets.GOOGLE_CLOUD_WIP }}
diff --git a/.github/workflows/argilla-frontend.yml b/.github/workflows/argilla-frontend.yml
index 91cf387bdf..3c3bdba738 100644
--- a/.github/workflows/argilla-frontend.yml
+++ b/.github/workflows/argilla-frontend.yml
@@ -11,6 +11,11 @@ on:
     paths:
       - "argilla-frontend/**"
 
+permissions:
+  contents: read
+  id-token: write
+  pull-requests: write
+
 jobs:
   build:
     name: Build argilla-frontend
diff --git a/.github/workflows/argilla-server.yml b/.github/workflows/argilla-server.yml
index 6e9e7c5b04..6952ff8906 100644
--- a/.github/workflows/argilla-server.yml
+++ b/.github/workflows/argilla-server.yml
@@ -17,6 +17,9 @@ on:
     paths:
       - "argilla-server/**"
 
+permissions:
+  id-token: write
+
 jobs:
   build:
     name: Build `argilla-server` package
diff --git a/.github/workflows/argilla.docs.yml b/.github/workflows/argilla.docs.yml
index 0f30f74035..fcad94cf1c 100644
--- a/.github/workflows/argilla.docs.yml
+++ b/.github/workflows/argilla.docs.yml
@@ -19,6 +19,10 @@ defaults:
   run:
     working-directory: argilla
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/argilla.yml b/.github/workflows/argilla.yml
index ea15b5f045..413a943982 100644
--- a/.github/workflows/argilla.yml
+++ b/.github/workflows/argilla.yml
@@ -17,6 +17,9 @@ on:
     paths:
       - "argilla/**"
 
+permissions:
+  id-token: write
+
 jobs:
   build:
     services:
@@ -85,8 +88,6 @@ jobs:
       # contents: read
       # IMPORTANT: this permission is mandatory for trusted publishing on PyPI
       id-token: write
-      # This permission is needed for creating tags
-      contents: write
 
     needs:
       - build
diff --git a/.github/workflows/close-inactive-issues-bot.yml b/.github/workflows/close-inactive-issues-bot.yml
index e61f938830..fa43996511 100644
--- a/.github/workflows/close-inactive-issues-bot.yml
+++ b/.github/workflows/close-inactive-issues-bot.yml
@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   close-issues:
     runs-on: ubuntu-latest