Tidy up permissions handling

1. total nit: move permissions down to job-level. This is a best practice for security. Here it doesn't matter, but it sets a good precedent if anyone copies this to use in writing a new workflow. 2. The `fetch-dependabot-metadata` step is a read-only operation, so it doesn't need elevated permissions for the `GITHUB_TOKEN`. And then in the follow-on job `build-dependabot-changes` we're using a PAT, so it's not even using the `GITHUB_TOKEN`. So the entire `dependabot-build` workflow file doesn't need any custom permissions on the `GITHUB_TOKEN` at all.
dependabot · May 17, 2023 · dcf537b · dcf537b
1 parent b3bc799
commit dcf537b
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -1,11 +1,14 @@
 name: Dependabot auto-merge
 on: pull_request_target
-permissions:
-  pull-requests: write
-  contents: write
+
 jobs:
   dependabot:
     runs-on: ubuntu-latest
+
+    permissions:
+      pull-requests: write
+      contents: write
+
     if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Check out code

diff --git a/.github/workflows/dependabot-build.yml b/.github/workflows/dependabot-build.yml
@@ -3,12 +3,10 @@ name: Compile dependabot updates
 on:
   pull_request:
 
-permissions:
-  pull-requests: write
-  contents: write
 jobs:
   fetch-dependabot-metadata:
     runs-on: ubuntu-latest
+
     # We only want to check the metadata on pull_request events from Dependabot itself,
     # any subsequent pushes to the PR should just skip this step so we don't go into
     # a loop on commits created by the `build-dependabot-changes` job
@@ -21,16 +19,15 @@ jobs:
       - uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.ref }}
-          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Fetch dependabot metadata
         id: dependabot-metadata
         uses: ./
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
   build-dependabot-changes:
     runs-on: ubuntu-latest
     needs: [fetch-dependabot-metadata]
+
     # We only need to build the dist/ folder if the PR relates a production NPM dependency, otherwise we don't expect changes.
     if: needs.fetch-dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' && needs.fetch-dependabot-metadata.outputs.dependency-type == 'direct:production'
     steps: