Reduced workflow permissions (#1793)

CatChen · Mar 19, 2023 · ba60550 · ba60550
1 parent c4f253b
commit ba60550
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 34 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,10 +5,6 @@ on:
     branches: [main]
   pull_request:
     branches: [main, '[0-9]+-[0-9]+-*']
-  workflow_run:
-    workflows: ['Build for Dependabot']
-    types:
-      - completed
   workflow_dispatch:
   workflow_call:
     inputs:
@@ -20,37 +16,22 @@ on:
 jobs:
   build:
     name: Build
-    if: |-
-      ${{
-        !startsWith(github.head_ref, 'workflows/tests/') && ((
-          github.actor == 'dependabot[bot]' && 
-          github.event_name != 'push' &&
-          github.event_name != 'pull_request'
-        ) || (
-          github.actor != 'dependabot[bot]' &&
-          github.event_name != 'workflow_run'
-        ))
-      }}
     runs-on: ubuntu-latest
-    permissions: write-all
+    permissions:
+      pull-requests: write
+      contents: write
     steps:
       - uses: actions/checkout@v3
-        if: ${{ github.event_name != 'workflow_run' }}
         with:
-          ref: ${{ inputs.ref || github.head_ref || github.base_ref }}
-
-      - uses: actions/checkout@v3
-        if: ${{ github.event_name == 'workflow_run' }}
-        with:
-          ref: ${{ github.event.workflow_run.head_branch }}
+          ref: ${{ inputs.ref }}
 
       - uses: actions/setup-node@v3
         with:
           node-version-file: '.nvmrc'
           check-latest: true
 
       - name: Install dependencies
-        run: yarn install
+        run: yarn
 
       - name: Build
         run: yarn build
@@ -61,6 +42,6 @@ jobs:
       - uses: CatChen/check-git-status-action@v1
         id: check-git-status
         with:
-          fail-if-not-clean: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_call' }}
+          fail-if-not-clean: ${{ github.actor != 'dependabot[bot]' }}
           push-if-not-clean: true
           github-token: ${{ secrets.CHECK_GIT_STATUS_ACTION_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -42,17 +42,23 @@ on:
 jobs:
   build:
     uses: ./.github/workflows/build.yml
-    secrets: inherit
+    permissions:
+      pull-requests: write
+      contents: write
 
   test:
     uses: ./.github/workflows/test.yml
-    secrets: inherit
+    permissions: write-all
 
   eslint:
     uses: ./.github/workflows/eslint.yml
 
   codeql:
     uses: ./.github/workflows/codeql.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
 
   release:
     name: Release
@@ -72,10 +78,11 @@ jobs:
         uses: CatChen/node-package-release-action@v1
         with:
           release-type: ${{ inputs.release-type || 'patch' }}
-          prerelease: ${{ inputs.prerelease || true }}
+          prerelease: ${{ inputs.prerelease || false }}
           update-shorthand-release: true
           dry-run: ${{ inputs.dry-run || false }}
           skip-if-no-diff: ${{ inputs.skip-if-no-diff || true }}
+          diff-targets: ${{ inputs.diff-targets || 'dist/**/*' }}
 
   publish:
     name: Publish

diff --git a/.github/workflows/ship.yml b/.github/workflows/ship.yml
@@ -66,14 +66,15 @@ jobs:
         contains(github.event.workflow_run.pull_requests.*.base.ref, 'main')
       }}
     runs-on: ubuntu-latest
-    permissions: write-all
+    permissions:
+      pull-requests: write
+      contents: write
     outputs:
       skipped: ${{ steps.ship.outputs.skipped }}
     steps:
       - uses: actions/checkout@v3
 
-      - id: ship
-        uses: ./
+      - uses: CatChen/accept-to-ship-action@v0.4
         with:
           merge-method: squash
           timeout: 0
@@ -89,7 +90,9 @@ jobs:
         contains(github.event.workflow_run.pull_requests.*.base.ref, 'main')
       }}
     runs-on: ubuntu-latest
-    permissions: write-all
+    permissions:
+      pull-requests: write
+      contents: write
     outputs:
       skipped: ${{ steps.ship.outputs.skipped }}
     steps:
@@ -106,16 +109,18 @@ jobs:
   build:
     needs: [accept-to-ship, pass-to-ship]
     if: ${{ !needs.accept-to-ship.outputs.skipped || !needs.pass-to-ship.outputs.skipped }}
+    permissions:
+      pull-requests: write
+      contents: write
     uses: ./.github/workflows/build.yml
-    secrets: inherit
     with:
       ref: 'refs/heads/main'
 
   test:
     needs: [accept-to-ship, pass-to-ship]
     if: ${{ !needs.accept-to-ship.outputs.skipped || !needs.pass-to-ship.outputs.skipped }}
+    permissions: write-all
     uses: ./.github/workflows/test.yml
-    secrets: inherit
     with:
       ref: 'refs/heads/main'
 
@@ -129,6 +134,10 @@ jobs:
   codeql:
     needs: [accept-to-ship, pass-to-ship]
     if: ${{ !needs.accept-to-ship.outputs.skipped || !needs.pass-to-ship.outputs.skipped }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: ./.github/workflows/codeql.yml
     with:
       ref: 'refs/heads/main'