From 0f0c9aa0d77b8d70f34c38b7dd8516818ccc9c20 Mon Sep 17 00:00:00 2001 From: Christian Emmer <10749361+emmercm@users.noreply.github.com> Date: Fri, 12 Jul 2024 12:57:04 -0400 Subject: [PATCH] CI: consistency with job permissions (#1212) --- .github/workflows/gh-automerge-disabler.yml | 15 ++++++++------- .github/workflows/gh-dependabot-automerge.yml | 13 ++++++------- .github/workflows/gh-lock-issues.yml | 9 ++++----- .github/workflows/gh-pages.yml | 4 ++-- .github/workflows/gh-release-drafter.yml | 6 +++++- .github/workflows/gh-repo-update.yml | 2 +- .github/workflows/gh-stale-issues.yml | 8 ++++---- .github/workflows/node-compile.yml | 2 +- .github/workflows/node-publish.yml | 2 +- .github/workflows/node-test.yml | 2 +- 10 files changed, 33 insertions(+), 30 deletions(-) diff --git a/.github/workflows/gh-automerge-disabler.yml b/.github/workflows/gh-automerge-disabler.yml index adc25d444..d846a6176 100644 --- a/.github/workflows/gh-automerge-disabler.yml +++ b/.github/workflows/gh-automerge-disabler.yml @@ -10,16 +10,15 @@ on: types: - edited -permissions: - # actions/checkout@v4, `gh` CLI - contents: write - # `gh` CLI - repository-projects: read - pull-requests: write - jobs: disable-auto-merge: if: ${{ github.event.pull_request.auto_merge && github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name }} + permissions: + # actions/checkout@v4, `gh` CLI + contents: write + # `gh` CLI + repository-projects: read + pull-requests: write runs-on: ubuntu-latest steps: # Required for `gh` CLI @@ -39,6 +38,8 @@ jobs: remove-comment: if: ${{ !github.event.pull_request.auto_merge || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name }} + permissions: + pull-requests: write runs-on: ubuntu-latest steps: - uses: thollander/actions-comment-pull-request@v2 diff --git a/.github/workflows/gh-dependabot-automerge.yml b/.github/workflows/gh-dependabot-automerge.yml index 2aefb92b5..f1f280327 100644 --- a/.github/workflows/gh-dependabot-automerge.yml +++ b/.github/workflows/gh-dependabot-automerge.yml @@ -8,16 +8,15 @@ on: - reopened - synchronize # PR's branch was edited (i.e. new commits) -permissions: - # actions/checkout@v4, `gh` CLI - contents: write - # `gh` CLI - repository-projects: read - pull-requests: write - jobs: dependabot-automerge: if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} + permissions: + # actions/checkout@v4, `gh` CLI + contents: write + # `gh` CLI + repository-projects: read + pull-requests: write runs-on: ubuntu-latest steps: # Required for `gh` CLI diff --git a/.github/workflows/gh-lock-issues.yml b/.github/workflows/gh-lock-issues.yml index ff2ed7770..29b0dd264 100644 --- a/.github/workflows/gh-lock-issues.yml +++ b/.github/workflows/gh-lock-issues.yml @@ -5,13 +5,12 @@ on: - cron: '30 1 * * *' workflow_dispatch: -permissions: - issues: write - pull-requests: write - discussions: write - jobs: action: + permissions: + issues: write + pull-requests: write + discussions: write runs-on: ubuntu-latest steps: - uses: dessant/lock-threads@v5 diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 2b3821ab9..6fc68100e 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -19,9 +19,9 @@ concurrency: jobs: path-filter: - runs-on: ubuntu-latest permissions: pull-requests: read + runs-on: ubuntu-latest outputs: changes: ${{ steps.filter.outputs.changes }} steps: @@ -82,9 +82,9 @@ jobs: deploy: if: github.event_name == 'release' - runs-on: ubuntu-latest permissions: contents: write + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/gh-release-drafter.yml b/.github/workflows/gh-release-drafter.yml index 535e9b222..f677ca48c 100644 --- a/.github/workflows/gh-release-drafter.yml +++ b/.github/workflows/gh-release-drafter.yml @@ -24,6 +24,11 @@ env: jobs: release: + permissions: + # actions/checkout@v4 + contents: read + # thollander/actions-comment-pull-request@v2 + pull-requests: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -36,7 +41,6 @@ jobs: - id: check uses: EndBug/version-check@v2 with: - token: ${{ secrets.GITHUB_TOKEN }} # NOTE: `diff-search:true` is preferred so that only the exact commit that bumps the # version triggers this workflow, but `workflow_dispatch` doesn't carry commit or # commit ref info that's needed for it. diff --git a/.github/workflows/gh-repo-update.yml b/.github/workflows/gh-repo-update.yml index 3eeb32988..510d1019a 100644 --- a/.github/workflows/gh-repo-update.yml +++ b/.github/workflows/gh-repo-update.yml @@ -14,9 +14,9 @@ concurrency: jobs: repo-update: - runs-on: ubuntu-latest permissions: repository-projects: write + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - run: | diff --git a/.github/workflows/gh-stale-issues.yml b/.github/workflows/gh-stale-issues.yml index 59d19a172..dd0779e46 100644 --- a/.github/workflows/gh-stale-issues.yml +++ b/.github/workflows/gh-stale-issues.yml @@ -5,12 +5,12 @@ on: - cron: '30 1 * * *' workflow_dispatch: -permissions: - issues: write - pull-requests: write - jobs: stale: + permissions: + issues: write + pull-requests: write + discussions: write runs-on: ubuntu-latest steps: - uses: actions/stale@v9 diff --git a/.github/workflows/node-compile.yml b/.github/workflows/node-compile.yml index aedd75005..93fc8d1cf 100644 --- a/.github/workflows/node-compile.yml +++ b/.github/workflows/node-compile.yml @@ -26,9 +26,9 @@ env: jobs: path-filter: - runs-on: ubuntu-latest permissions: pull-requests: read + runs-on: ubuntu-latest outputs: changes: ${{ steps.filter.outputs.changes }} steps: diff --git a/.github/workflows/node-publish.yml b/.github/workflows/node-publish.yml index c09371ca6..9af850d3d 100644 --- a/.github/workflows/node-publish.yml +++ b/.github/workflows/node-publish.yml @@ -11,7 +11,6 @@ on: jobs: node-publish: - runs-on: ubuntu-latest permissions: # actions/checkout@v4 contents: read @@ -19,6 +18,7 @@ jobs: id-token: write # thollander/actions-comment-pull-request@v2 pull-requests: write + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: volta-cli/action@v4 diff --git a/.github/workflows/node-test.yml b/.github/workflows/node-test.yml index ca6887eb8..41fe28ce4 100644 --- a/.github/workflows/node-test.yml +++ b/.github/workflows/node-test.yml @@ -26,9 +26,9 @@ env: jobs: path-filter: - runs-on: ubuntu-latest permissions: pull-requests: read + runs-on: ubuntu-latest outputs: changes: ${{ steps.filter.outputs.changes }} steps: