From 752eff1c9f377e5f6bb5be0de122e79b109f7489 Mon Sep 17 00:00:00 2001
From: Nogic <24802730+nogic1008@users.noreply.github.com>
Date: Sun, 5 May 2024 09:20:28 +0900
Subject: [PATCH] feat: add token permisson explicitly (#968)

* docs: add `pull-requests:write` permission on description

* docs: add permissions on example

* ci(gh-actions): add permissons
---
 .github/workflows/nodejs.yml   |  3 +++
 .github/workflows/site-cat.yml |  5 ++++-
 README-ja.md                   | 16 +++++++++++-----
 README.md                      |  8 +++++++-
 action.yml                     |  2 +-
 5 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index 18da3351..2c9e4e08 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -83,6 +83,9 @@ jobs:
           - windows-2022
           - windows-2019
     runs-on: ${{ matrix.os }}
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4.1.4
diff --git a/.github/workflows/site-cat.yml b/.github/workflows/site-cat.yml
index 8bbcce47..e87eef07 100644
--- a/.github/workflows/site-cat.yml
+++ b/.github/workflows/site-cat.yml
@@ -8,8 +8,11 @@ jobs:
   post:
     runs-on: ubuntu-latest
     if: (!contains(github.actor, '[bot]'))
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
-      - uses: ddradar/lgtm-action@v1
+      - uses: ddradar/lgtm-action@v3.0.0
         with:
           image-url: ${{ vars.LGTM_IMAGE_URI }}
           search-pattern: ${{ vars.LGTM_SEARCH_PATTERN }}
diff --git a/README-ja.md b/README-ja.md
index 55b571e7..90ac4499 100644
--- a/README-ja.md
+++ b/README-ja.md
@@ -37,6 +37,9 @@ on:
 jobs:
   post:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: ddradar/lgtm-action@v2.0.2
         with:
@@ -60,6 +63,9 @@ jobs:
   post:
     runs-on: ubuntu-latest
     if: (!contains(github.actor, '[bot]')) # botのコメントを除く
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: ddradar/choose-random-action@v1
         id: act
@@ -75,11 +81,11 @@ jobs:
 
 ## Options
 
-| 名称           |  必須  | 説明                                                                                                               | デフォルト            |
-| -------------- | :----: | :----------------------------------------------------------------------------------------------------------------- | --------------------- |
-| image-url      |  はい  | 画像URL                                                                                                            | -                     |
-| search-pattern | いいえ | このアクションが反応する正規表現パターンをセットします。<br />複数行検索(`RegExp.prototype.multiline`)を行います。 | `^(lgtm\|LGTM)$`      |
-| token          | いいえ | issue にコメントするために使用する、GitHub のアクセストークン。(`issues:write`権限が必要です)                      | `${{ github.token }}` |
+| 名称           |  必須  | 説明                                                                                                                 | デフォルト            |
+| -------------- | :----: | :------------------------------------------------------------------------------------------------------------------- | --------------------- |
+| image-url      |  はい  | 画像URL                                                                                                              | -                     |
+| search-pattern | いいえ | このアクションが反応する正規表現パターンをセットします。<br />複数行検索(`RegExp.prototype.multiline`)を行います。   | `^(lgtm\|LGTM)$`      |
+| token          | いいえ | issue にコメントするために使用する、GitHub のアクセストークン。(`issues:write`と`pull-requests:write`権限が必要です) | `${{ github.token }}` |
 
 ## Screenshots
 
diff --git a/README.md b/README.md
index 82f0f46f..442f83e7 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,9 @@ on:
 jobs:
   post:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: ddradar/lgtm-action@v2.0.2
         with:
@@ -59,6 +62,9 @@ jobs:
   post:
     runs-on: ubuntu-latest
     if: (!contains(github.actor, '[bot]')) # Exclude bot comment
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: ddradar/choose-random-action@v2
         id: act
@@ -78,7 +84,7 @@ jobs:
 | -------------- | :-------: | :------------------------------------------------------------------------------------------------------------ | --------------------- |
 | image-url      |    Yes    | Set your image URL                                                                                            | -                     |
 | search-pattern |    No     | Set regexp pattern this action reacts.<br />This action uses Multi-line(`RegExp.prototype.multiline`) search. | `^(lgtm\|LGTM)$`      |
-| token          |    No     | GitHub Access Token to post issue comment. (requires `issues:write` permission)                               | `${{ github.token }}` |
+| token          |    No     | GitHub Access Token to post issue comment. (requires `issues:write` and `pull-requests:write` permission)     | `${{ github.token }}` |
 
 ## Screenshots
 
diff --git a/action.yml b/action.yml
index 0b0a60a8..7bb2af53 100644
--- a/action.yml
+++ b/action.yml
@@ -6,7 +6,7 @@ inputs:
     description: >
       GitHub Access Token to create issue comment.
       In many cases, you do not need to prepare yourself. (provided by GitHub Actions)
-      Token must have issues:write permission.
+      Token must have issues:write and pull-requests:write permission.
     required: false
     default: ${{ github.token }}
   image-url: