CI: consistency with job permissions (#1212)

emmercm · Jul 12, 2024 · 0f0c9aa · 0f0c9aa
1 parent 865955a
commit 0f0c9aa
Show file tree

Hide file tree

Showing 10 changed files with 33 additions and 30 deletions.
diff --git a/.github/workflows/gh-automerge-disabler.yml b/.github/workflows/gh-automerge-disabler.yml
@@ -10,16 +10,15 @@ on:
     types:
       - edited
 
-permissions:
-  # actions/checkout@v4, `gh` CLI
-  contents: write
-  # `gh` CLI
-  repository-projects: read
-  pull-requests: write
-
 jobs:
   disable-auto-merge:
     if: ${{ github.event.pull_request.auto_merge && github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name }}
+    permissions:
+      # actions/checkout@v4, `gh` CLI
+      contents: write
+      # `gh` CLI
+      repository-projects: read
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       # Required for `gh` CLI
@@ -39,6 +38,8 @@ jobs:
 
   remove-comment:
     if: ${{ !github.event.pull_request.auto_merge || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name }}
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: thollander/actions-comment-pull-request@v2

diff --git a/.github/workflows/gh-dependabot-automerge.yml b/.github/workflows/gh-dependabot-automerge.yml
@@ -8,16 +8,15 @@ on:
       - reopened
       - synchronize  # PR's branch was edited (i.e. new commits)
 
-permissions:
-  # actions/checkout@v4, `gh` CLI
-  contents: write
-  # `gh` CLI
-  repository-projects: read
-  pull-requests: write
-
 jobs:
   dependabot-automerge:
     if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+    permissions:
+      # actions/checkout@v4, `gh` CLI
+      contents: write
+      # `gh` CLI
+      repository-projects: read
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       # Required for `gh` CLI

diff --git a/.github/workflows/gh-lock-issues.yml b/.github/workflows/gh-lock-issues.yml
@@ -5,13 +5,12 @@ on:
     - cron: '30 1 * * *'
   workflow_dispatch:
 
-permissions:
-  issues: write
-  pull-requests: write
-  discussions: write
-
 jobs:
   action:
+    permissions:
+      issues: write
+      pull-requests: write
+      discussions: write
     runs-on: ubuntu-latest
     steps:
       - uses: dessant/lock-threads@v5

diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
@@ -19,9 +19,9 @@ concurrency:
 
 jobs:
   path-filter:
-    runs-on: ubuntu-latest
     permissions:
       pull-requests: read
+    runs-on: ubuntu-latest
     outputs:
       changes: ${{ steps.filter.outputs.changes }}
     steps:
@@ -82,9 +82,9 @@ jobs:
 
   deploy:
     if: github.event_name == 'release'
-    runs-on: ubuntu-latest
     permissions:
       contents: write
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/gh-release-drafter.yml b/.github/workflows/gh-release-drafter.yml
@@ -24,6 +24,11 @@ env:
 
 jobs:
   release:
+    permissions:
+      # actions/checkout@v4
+      contents: read
+      # thollander/actions-comment-pull-request@v2
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -36,7 +41,6 @@ jobs:
       - id: check
         uses: EndBug/version-check@v2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           # NOTE: `diff-search:true` is preferred so that only the exact commit that bumps the
           #   version triggers this workflow, but `workflow_dispatch` doesn't carry commit or
           #   commit ref info that's needed for it.

diff --git a/.github/workflows/gh-repo-update.yml b/.github/workflows/gh-repo-update.yml
@@ -14,9 +14,9 @@ concurrency:
 
 jobs:
   repo-update:
-    runs-on: ubuntu-latest
     permissions:
       repository-projects: write
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - run: |

diff --git a/.github/workflows/gh-stale-issues.yml b/.github/workflows/gh-stale-issues.yml
@@ -5,12 +5,12 @@ on:
     - cron: '30 1 * * *'
   workflow_dispatch:
 
-permissions:
-  issues: write
-  pull-requests: write
-
 jobs:
   stale:
+    permissions:
+      issues: write
+      pull-requests: write
+      discussions: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v9

diff --git a/.github/workflows/node-compile.yml b/.github/workflows/node-compile.yml
@@ -26,9 +26,9 @@ env:
 
 jobs:
   path-filter:
-    runs-on: ubuntu-latest
     permissions:
       pull-requests: read
+    runs-on: ubuntu-latest
     outputs:
       changes: ${{ steps.filter.outputs.changes }}
     steps:

diff --git a/.github/workflows/node-publish.yml b/.github/workflows/node-publish.yml
@@ -11,14 +11,14 @@ on:
 
 jobs:
   node-publish:
-    runs-on: ubuntu-latest
     permissions:
       # actions/checkout@v4
       contents: read
       # `npm publish --provenance`
       id-token: write
       # thollander/actions-comment-pull-request@v2
       pull-requests: write
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: volta-cli/action@v4

diff --git a/.github/workflows/node-test.yml b/.github/workflows/node-test.yml
@@ -26,9 +26,9 @@ env:
 
 jobs:
   path-filter:
-    runs-on: ubuntu-latest
     permissions:
       pull-requests: read
+    runs-on: ubuntu-latest
     outputs:
       changes: ${{ steps.filter.outputs.changes }}
     steps: