diff --git a/.github/workflows/60-days-stale-check.yml b/.github/workflows/60-days-stale-check.yml index 779275b98312..2de10213582a 100644 --- a/.github/workflows/60-days-stale-check.yml +++ b/.github/workflows/60-days-stale-check.yml @@ -8,6 +8,10 @@ on: schedule: - cron: '40 16 * * *' # Run each day at 16:40 UTC / 8:40 PST +permissions: + issues: write + pull-requests: write + jobs: stale: if: github.repository == 'github/docs-internal' || github.repository == 'github/docs' diff --git a/.github/workflows/add-review-template.yml b/.github/workflows/add-review-template.yml index c2f4bfe181ca..376fc4b415ad 100644 --- a/.github/workflows/add-review-template.yml +++ b/.github/workflows/add-review-template.yml @@ -9,6 +9,9 @@ on: types: - labeled +permissions: + contents: read + jobs: comment-that-approved: name: Add review template diff --git a/.github/workflows/auto-label-prs.yml b/.github/workflows/auto-label-prs.yml index 2081af1f1552..12aed3514b5e 100644 --- a/.github/workflows/auto-label-prs.yml +++ b/.github/workflows/auto-label-prs.yml @@ -7,6 +7,10 @@ name: Auto label Pull Requests on: pull_request: +permissions: + contents: read + pull-requests: write + jobs: triage: if: github.repository == 'github/docs-internal' diff --git a/.github/workflows/autoupdate-branch.yml b/.github/workflows/autoupdate-branch.yml index c376693f9991..ba126fbf25f2 100644 --- a/.github/workflows/autoupdate-branch.yml +++ b/.github/workflows/autoupdate-branch.yml @@ -24,6 +24,9 @@ on: branches: - main +permissions: + contents: read + jobs: autoupdate: if: github.repository == 'github/docs-internal' || github.repository == 'github/docs' diff --git a/.github/workflows/browser-test.yml b/.github/workflows/browser-test.yml index 934191d5d411..b54c7522e59e 100644 --- a/.github/workflows/browser-test.yml +++ b/.github/workflows/browser-test.yml @@ -22,6 +22,9 @@ on: # Ultimately, for debugging this workflow itself - .github/workflows/browser-test.yml +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/check-all-english-links.yml b/.github/workflows/check-all-english-links.yml index bcc3c5d71c17..4fa83a40d3dc 100644 --- a/.github/workflows/check-all-english-links.yml +++ b/.github/workflows/check-all-english-links.yml @@ -9,6 +9,10 @@ on: schedule: - cron: '40 19 * * *' # once a day at 19:40 UTC / 11:40 PST +permissions: + contents: read + issues: write + jobs: check_all_english_links: name: Check all links diff --git a/.github/workflows/check-broken-links-github-github.yml b/.github/workflows/check-broken-links-github-github.yml index 932307ee131b..b2f74968446e 100644 --- a/.github/workflows/check-broken-links-github-github.yml +++ b/.github/workflows/check-broken-links-github-github.yml @@ -9,6 +9,9 @@ on: schedule: - cron: '20 13 * * 1' # run every Monday at 1:20PM UTC +permissions: + contents: read + # **IMPORTANT:** Do not change the FREEZE environment variable set here! # This workflow runs on a recurring basis. To temporarily disable it (e.g., # during a docs deployment freeze), add an Actions Secret to the repo settings diff --git a/.github/workflows/check-for-spammy-issues.yml b/.github/workflows/check-for-spammy-issues.yml index 07eae96f2347..b325dd08bd70 100644 --- a/.github/workflows/check-for-spammy-issues.yml +++ b/.github/workflows/check-for-spammy-issues.yml @@ -7,6 +7,10 @@ name: Check for Spammy Issues on: issues: types: [opened] + +permissions: + contents: none + jobs: spammy-title-check: name: Remove issues with spammy titles diff --git a/.github/workflows/code-lint.yml b/.github/workflows/code-lint.yml index 4cc25120b492..b4ff63a0ea63 100644 --- a/.github/workflows/code-lint.yml +++ b/.github/workflows/code-lint.yml @@ -4,9 +4,6 @@ name: Lint code # **Why we have it**: We want some level of consistency to our code. # **Who does it impact**: Docs engineering, open-source engineering contributors. -permissions: - contents: read - on: workflow_dispatch: push: @@ -26,6 +23,9 @@ on: # Ultimately, for debugging this workflow itself - .github/workflows/code-lint.yml +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bbf20269024f..020128f54a44 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -15,6 +15,10 @@ on: - '**/*.js' - '.github/workflows/codeql.yml' +permissions: + actions: read + contents: read + jobs: build: if: github.repository == 'github/docs-internal' || github.repository == 'github/docs' diff --git a/.github/workflows/confirm-internal-staff-work-in-docs.yml b/.github/workflows/confirm-internal-staff-work-in-docs.yml index 17cebab5ae9d..81fa3788b5f4 100644 --- a/.github/workflows/confirm-internal-staff-work-in-docs.yml +++ b/.github/workflows/confirm-internal-staff-work-in-docs.yml @@ -13,6 +13,9 @@ on: types: - opened +permissions: + contents: none + jobs: check-team-membership: runs-on: ubuntu-latest diff --git a/.github/workflows/content-changes-table-comment.yml b/.github/workflows/content-changes-table-comment.yml index dade6fff26f4..8ca2e3b084fe 100644 --- a/.github/workflows/content-changes-table-comment.yml +++ b/.github/workflows/content-changes-table-comment.yml @@ -9,6 +9,10 @@ on: pull_request_target: types: [opened, synchronize, reopened] +permissions: + contents: read + pull-requests: write + jobs: PR-Preview-Links: if: github.event.pull_request.user.login != 'Octomerger' diff --git a/.github/workflows/copy-api-issue-to-internal.yml b/.github/workflows/copy-api-issue-to-internal.yml index f7cd49066650..13bac002f1c0 100644 --- a/.github/workflows/copy-api-issue-to-internal.yml +++ b/.github/workflows/copy-api-issue-to-internal.yml @@ -9,6 +9,9 @@ on: types: - labeled +permissions: + contents: none + jobs: transfer-issue: name: Transfer issue diff --git a/.github/workflows/create-translation-batch-pr.yml b/.github/workflows/create-translation-batch-pr.yml index 4d6943ce64f4..c18a2d19d36b 100644 --- a/.github/workflows/create-translation-batch-pr.yml +++ b/.github/workflows/create-translation-batch-pr.yml @@ -13,6 +13,9 @@ on: schedule: - cron: '25 */6 * * *' # Every six hours +permissions: + contents: write + jobs: create-translation-batch: name: Create translation batch diff --git a/.github/workflows/crowdin-cleanup.yml b/.github/workflows/crowdin-cleanup.yml index 710624129e18..7552713ab65f 100644 --- a/.github/workflows/crowdin-cleanup.yml +++ b/.github/workflows/crowdin-cleanup.yml @@ -10,6 +10,9 @@ on: branches: - translations +permissions: + contents: write + jobs: homogenize_frontmatter: name: Homogenize frontmatter diff --git a/.github/workflows/enterprise-dates.yml b/.github/workflows/enterprise-dates.yml index 58d7ff05ac1d..158851106d15 100644 --- a/.github/workflows/enterprise-dates.yml +++ b/.github/workflows/enterprise-dates.yml @@ -11,6 +11,10 @@ on: schedule: - cron: '39 2 * * 2' # At 02:39 on Tuesday +permissions: + contents: write + pull-requests: write + # **IMPORTANT:** Do not change the FREEZE environment variable set here! # This workflow runs on a recurring basis. To temporarily disable it (e.g., # during a docs deployment freeze), add an Actions Secret to the repo settings diff --git a/.github/workflows/enterprise-release-sync-search-index.yml b/.github/workflows/enterprise-release-sync-search-index.yml index 60da9c2279b5..b01f8d122061 100644 --- a/.github/workflows/enterprise-release-sync-search-index.yml +++ b/.github/workflows/enterprise-release-sync-search-index.yml @@ -26,6 +26,9 @@ on: - ready_for_review - unlocked +permissions: + contents: write + # This workflow requires a label in the format `sync-english-index-for-` jobs: updateIndices: @@ -59,7 +62,6 @@ jobs: env: VERSION: ${{ steps.getVersion.outputs.versionToSync }} LANGUAGE: 'en' - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | npm run build npm run sync-search diff --git a/.github/workflows/first-responder-docs-content.yml b/.github/workflows/first-responder-docs-content.yml index 7c64bcf69983..2911440b2da2 100644 --- a/.github/workflows/first-responder-docs-content.yml +++ b/.github/workflows/first-responder-docs-content.yml @@ -13,6 +13,9 @@ on: - closed - unlabeled +permissions: + contents: none + jobs: first-responder-triage-pr: name: Triage PR to FR project board diff --git a/.github/workflows/hubber-contribution-help.yml b/.github/workflows/hubber-contribution-help.yml index ec1eafe32996..83a3ca6c1e72 100644 --- a/.github/workflows/hubber-contribution-help.yml +++ b/.github/workflows/hubber-contribution-help.yml @@ -12,12 +12,13 @@ on: - 'content/**' - 'data/**' +permissions: + pull-requests: write + jobs: check-team-membership: if: github.repository == 'github/docs-internal' && github.actor != 'github-openapi-bot' runs-on: ubuntu-latest - permissions: - pull-requests: write steps: - id: membership_check uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d diff --git a/.github/workflows/link-check-dotcom.yml b/.github/workflows/link-check-dotcom.yml index f117f616605b..9ba9f5f18fe2 100644 --- a/.github/workflows/link-check-dotcom.yml +++ b/.github/workflows/link-check-dotcom.yml @@ -11,6 +11,9 @@ on: - main pull_request: +permissions: + contents: read + jobs: build: runs-on: ${{ fromJSON('["ubuntu-latest", "self-hosted"]')[github.repository == 'github/docs-internal'] }} diff --git a/.github/workflows/link-check-ghae.yml b/.github/workflows/link-check-ghae.yml index d02dbdd300ec..7f9d8fc7fbf7 100644 --- a/.github/workflows/link-check-ghae.yml +++ b/.github/workflows/link-check-ghae.yml @@ -11,6 +11,9 @@ on: - main pull_request: +permissions: + contents: read + jobs: build: runs-on: ${{ fromJSON('["ubuntu-latest", "self-hosted"]')[github.repository == 'github/docs-internal'] }} diff --git a/.github/workflows/link-check-ghec.yml b/.github/workflows/link-check-ghec.yml index acc0c21b0ab5..eca647a7a46e 100644 --- a/.github/workflows/link-check-ghec.yml +++ b/.github/workflows/link-check-ghec.yml @@ -11,6 +11,9 @@ on: - main pull_request: +permissions: + contents: read + jobs: build: runs-on: ${{ fromJSON('["ubuntu-latest", "self-hosted"]')[github.repository == 'github/docs-internal'] }} diff --git a/.github/workflows/link-check-ghes.yml b/.github/workflows/link-check-ghes.yml index 134e83ece864..3e741d3e278a 100644 --- a/.github/workflows/link-check-ghes.yml +++ b/.github/workflows/link-check-ghes.yml @@ -11,6 +11,9 @@ on: - main pull_request: +permissions: + contents: read + jobs: build: runs-on: ${{ fromJSON('["ubuntu-latest", "self-hosted"]')[github.repository == 'github/docs-internal'] }} diff --git a/.github/workflows/merged-notification.yml b/.github/workflows/merged-notification.yml index 7e82935e7cac..828a864c1df5 100644 --- a/.github/workflows/merged-notification.yml +++ b/.github/workflows/merged-notification.yml @@ -9,6 +9,9 @@ on: types: - 'closed' +permissions: + issues: write + jobs: comment: if: github.repository == 'github/docs' && github.event.pull_request.merged && github.event.pull_request.base.ref == github.event.repository.default_branch && github.event.pull_request.user.login != 'Octomerger' diff --git a/.github/workflows/move-existing-issues-to-the-correct-repo.yml b/.github/workflows/move-existing-issues-to-the-correct-repo.yml index 384cc235bc1d..05b994a52574 100644 --- a/.github/workflows/move-existing-issues-to-the-correct-repo.yml +++ b/.github/workflows/move-existing-issues-to-the-correct-repo.yml @@ -7,6 +7,9 @@ name: Move existing issues to correct docs repo on: workflow_dispatch: +permissions: + contents: none + jobs: transfer_issues: runs-on: ubuntu-latest diff --git a/.github/workflows/move-help-wanted-issues.yml b/.github/workflows/move-help-wanted-issues.yml index bd4c630a5b89..b5697b6d7daa 100644 --- a/.github/workflows/move-help-wanted-issues.yml +++ b/.github/workflows/move-help-wanted-issues.yml @@ -10,7 +10,7 @@ on: - labeled permissions: - issues: none + contents: none jobs: move_issues: diff --git a/.github/workflows/move-new-issues-to-correct-docs-repo.yml b/.github/workflows/move-new-issues-to-correct-docs-repo.yml index acabc4308882..1c2c36282163 100644 --- a/.github/workflows/move-new-issues-to-correct-docs-repo.yml +++ b/.github/workflows/move-new-issues-to-correct-docs-repo.yml @@ -11,6 +11,9 @@ on: - transferred - reopened +permissions: + contents: none + jobs: transfer_issue: runs-on: ubuntu-latest diff --git a/.github/workflows/move-ready-to-merge-pr.yaml b/.github/workflows/move-ready-to-merge-pr.yaml index 9b037104d964..f9f5c9871b95 100644 --- a/.github/workflows/move-ready-to-merge-pr.yaml +++ b/.github/workflows/move-ready-to-merge-pr.yaml @@ -11,7 +11,6 @@ on: permissions: pull-requests: write - issues: write jobs: unmark_for_review: diff --git a/.github/workflows/move-reopened-issues-to-triage.yaml b/.github/workflows/move-reopened-issues-to-triage.yaml index 925ab443ce29..28b297639887 100644 --- a/.github/workflows/move-reopened-issues-to-triage.yaml +++ b/.github/workflows/move-reopened-issues-to-triage.yaml @@ -9,6 +9,9 @@ on: types: - reopened +permissions: + repository-projects: write + jobs: move-reopened-issue-to-triage: if: github.repository == 'github/docs' @@ -16,7 +19,6 @@ jobs: steps: - uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d with: - github-token: ${{ github.token }} script: | const issueNumber = context.issue.number; const doneColumnId = 11167427; diff --git a/.github/workflows/no-response.yaml b/.github/workflows/no-response.yaml index 59a5b8beefe8..c75179a19ea6 100644 --- a/.github/workflows/no-response.yaml +++ b/.github/workflows/no-response.yaml @@ -15,13 +15,16 @@ on: # Schedule for five minutes after the hour every hour - cron: '5 * * * *' +permissions: + issues: write + jobs: noResponse: runs-on: ubuntu-latest steps: - uses: lee-dohm/no-response@9bb0a4b5e6a45046f00353d5de7d90fb8bd773bb with: - token: ${{ github.token }} + token: ${{ secrets.GITHUB_TOKEN }} closeComment: > This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the diff --git a/.github/workflows/open-enterprise-issue.yml b/.github/workflows/open-enterprise-issue.yml index e28fc76c4edc..bad00804fada 100644 --- a/.github/workflows/open-enterprise-issue.yml +++ b/.github/workflows/open-enterprise-issue.yml @@ -9,6 +9,9 @@ on: schedule: - cron: '49 14 * * *' # At 14:49 UTC daily +permissions: + contents: read + jobs: open_enterprise_issue: name: Open Enterprise issue diff --git a/.github/workflows/openapi-schema-check.yml b/.github/workflows/openapi-schema-check.yml index 59228d96aaf5..01dd710a7847 100644 --- a/.github/workflows/openapi-schema-check.yml +++ b/.github/workflows/openapi-schema-check.yml @@ -23,6 +23,9 @@ on: - 'script/rest/**/*.js' - 'package*.json' +permissions: + contents: read + jobs: check-schema-versions: if: ${{ github.repository == 'github/docs-internal' }} diff --git a/.github/workflows/os-ready-for-review.yml b/.github/workflows/os-ready-for-review.yml index 638d93f2628c..75d00c9d4d36 100644 --- a/.github/workflows/os-ready-for-review.yml +++ b/.github/workflows/os-ready-for-review.yml @@ -3,15 +3,15 @@ name: OS Ready for review # **What it does**: Adds pull requests and issues in the docs repository to the docs-content review board when the "waiting for review" label is added # **Why we have it**: So that contributors in the OS repo can easily get reviews from the docs-content team, and so that writers can see when a PR is ready for review # **Who does it impact**: Writers working in the docs repository -permissions: - contents: read - on: pull_request_target: types: [labeled] issues: types: [labeled] +permissions: + contents: read + jobs: request_doc_review: name: Request a review from the docs-content team diff --git a/.github/workflows/pa11y.yml b/.github/workflows/pa11y.yml index b9efeff5f0c9..86ee0591b4fd 100644 --- a/.github/workflows/pa11y.yml +++ b/.github/workflows/pa11y.yml @@ -8,6 +8,10 @@ on: workflow_dispatch: schedule: - cron: '25 17 * * *' # once a day at 17:25 UTC / 11:50 PST + +permissions: + contents: read + jobs: test: if: github.repository == 'github/docs-internal' || github.repository == 'github/docs' diff --git a/.github/workflows/ping-staging-apps.yml b/.github/workflows/ping-staging-apps.yml index e77cadbf464b..0151a3fe95e3 100644 --- a/.github/workflows/ping-staging-apps.yml +++ b/.github/workflows/ping-staging-apps.yml @@ -8,6 +8,9 @@ on: schedule: - cron: '10,30,50 * * * *' # every twenty minutes +permissions: + contents: read + jobs: ping_staging_apps: name: Ping diff --git a/.github/workflows/ready-for-doc-review.yml b/.github/workflows/ready-for-doc-review.yml index 273ff223255d..782bac10a582 100644 --- a/.github/workflows/ready-for-doc-review.yml +++ b/.github/workflows/ready-for-doc-review.yml @@ -8,6 +8,9 @@ on: pull_request: types: [labeled] +permissions: + contents: read + jobs: request_doc_review: name: Request a review from the docs-content team diff --git a/.github/workflows/remove-from-fr-board.yaml b/.github/workflows/remove-from-fr-board.yaml index cc46e8e9a4fc..31027d0d080e 100644 --- a/.github/workflows/remove-from-fr-board.yaml +++ b/.github/workflows/remove-from-fr-board.yaml @@ -8,6 +8,9 @@ on: repository_dispatch: types: remove_from_docs_FR_board +permissions: + contents: none + jobs: remove_from_FR_board: if: github.repository == 'github/docs-internal' diff --git a/.github/workflows/remove-unused-assets.yml b/.github/workflows/remove-unused-assets.yml index 2c91d3e6f608..261d8a611466 100644 --- a/.github/workflows/remove-unused-assets.yml +++ b/.github/workflows/remove-unused-assets.yml @@ -8,6 +8,9 @@ on: schedule: - cron: '20 15 * * 0' # run every Sunday at 20:15 UTC / 12:15 PST +permissions: + contents: write + env: FREEZE: ${{ secrets.FREEZE }} @@ -39,7 +42,7 @@ jobs: with: path: ./results.md - name: Remove script results file - run: rm -rf ./results.md + run: rm ./results.md - name: Create pull request uses: peter-evans/create-pull-request@7380612b49221684fefa025244f2ef4008ae50ad env: diff --git a/.github/workflows/repo-freeze-check.yml b/.github/workflows/repo-freeze-check.yml index 978e31e9bc2e..3815e2883ac3 100644 --- a/.github/workflows/repo-freeze-check.yml +++ b/.github/workflows/repo-freeze-check.yml @@ -16,6 +16,9 @@ on: branches: - main +permissions: + contents: none + env: FREEZE: ${{ secrets.FREEZE }} diff --git a/.github/workflows/repo-sync-stalls.yml b/.github/workflows/repo-sync-stalls.yml index 2d5c7029c68f..f23356765124 100644 --- a/.github/workflows/repo-sync-stalls.yml +++ b/.github/workflows/repo-sync-stalls.yml @@ -9,6 +9,9 @@ on: schedule: - cron: '32 */2 * * *' # At minute 32 past every 2nd hour. +permissions: + pull-requests: read + jobs: repo-sync-stalls: runs-on: ubuntu-latest @@ -17,7 +20,6 @@ jobs: name: Check if repo sync is stalled uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d with: - github-token: ${{ secrets.DOCUBOT_READORG_REPO_WORKFLOW_SCOPES }} script: | let pulls; const owner = context.repo.owner diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml index cb661982e438..bf4365e87390 100644 --- a/.github/workflows/repo-sync.yml +++ b/.github/workflows/repo-sync.yml @@ -20,6 +20,10 @@ on: schedule: - cron: '10,40 * * * *' # every 30 minutes +permissions: + contents: read + pull-requests: write + jobs: close-invalid-repo-sync: name: Close invalid Repo Sync PRs diff --git a/.github/workflows/site-policy-reminder.yml b/.github/workflows/site-policy-reminder.yml index ab00290807c6..4491321bcc19 100644 --- a/.github/workflows/site-policy-reminder.yml +++ b/.github/workflows/site-policy-reminder.yml @@ -8,6 +8,9 @@ on: pull_request: types: [labeled] +permissions: + contents: none + jobs: run: if: >- diff --git a/.github/workflows/site-policy-sync.yml b/.github/workflows/site-policy-sync.yml index 29aa9ba8ea3f..db2fda616f30 100644 --- a/.github/workflows/site-policy-sync.yml +++ b/.github/workflows/site-policy-sync.yml @@ -16,14 +16,14 @@ on: - 'content/github/site-policy/**' workflow_dispatch: +permissions: + contents: read + jobs: sync: name: Get the latest docs if: github.event_name == 'workflow_dispatch' || (github.event.pull_request.merged == true && github.repository == 'github/docs-internal') runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write steps: - name: checkout docs-internal uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 diff --git a/.github/workflows/start-new-engineering-pr-workflow.yml b/.github/workflows/start-new-engineering-pr-workflow.yml index 352b48dfa9e5..5290162e762b 100644 --- a/.github/workflows/start-new-engineering-pr-workflow.yml +++ b/.github/workflows/start-new-engineering-pr-workflow.yml @@ -10,6 +10,9 @@ on: - opened - reopened +permissions: + contents: none + jobs: triage: if: github.repository == 'github/docs-internal' || github.repository == 'github/docs' diff --git a/.github/workflows/sync-search-indices.yml b/.github/workflows/sync-search-indices.yml index e9064920bdc1..53f8167e336b 100644 --- a/.github/workflows/sync-search-indices.yml +++ b/.github/workflows/sync-search-indices.yml @@ -33,6 +33,9 @@ on: schedule: - cron: '53 0/8 * * *' # Run every eight hours at 53 minutes past the hour +permissions: + contents: none + env: FREEZE: ${{ secrets.FREEZE }} @@ -66,7 +69,6 @@ jobs: - name: Update search indexes env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VERSION: ${{ github.event.inputs.version }} LANGUAGE: ${{ github.event.inputs.language }} run: npm run sync-search diff --git a/.github/workflows/sync-search-pr.yml b/.github/workflows/sync-search-pr.yml index 341bcc8a9fef..6a1cb23789ec 100644 --- a/.github/workflows/sync-search-pr.yml +++ b/.github/workflows/sync-search-pr.yml @@ -13,6 +13,9 @@ on: # Ultimately, for debugging this workflow itself - .github/workflows/sync-search-pr.yml +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/test-windows.yml b/.github/workflows/test-windows.yml index 8f368448c5ee..c46c5118c2ec 100644 --- a/.github/workflows/test-windows.yml +++ b/.github/workflows/test-windows.yml @@ -12,6 +12,9 @@ on: schedule: - cron: '50 19 * * *' # once a day at 19:50 UTC / 11:50 PST +permissions: + contents: read + env: CI: true diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 346b8297053b..804b349ba9fb 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,6 +13,11 @@ on: - main pull_request: +permissions: + contents: read + # Needed for the 'trilom/file-changes-action' action + pull-requests: read + env: CI: true diff --git a/.github/workflows/transfer-api-issue-to-openapi.yml b/.github/workflows/transfer-api-issue-to-openapi.yml index b03c55e3715d..b7875594cdc5 100644 --- a/.github/workflows/transfer-api-issue-to-openapi.yml +++ b/.github/workflows/transfer-api-issue-to-openapi.yml @@ -9,6 +9,9 @@ on: types: - labeled +permissions: + contents: none + jobs: transfer-issue: name: Transfer issue diff --git a/.github/workflows/transfer-to-localization-repo.yml b/.github/workflows/transfer-to-localization-repo.yml index 0e34e61a3c58..a7fd81d4c380 100644 --- a/.github/workflows/transfer-to-localization-repo.yml +++ b/.github/workflows/transfer-to-localization-repo.yml @@ -4,14 +4,14 @@ name: Copy to REST API issue to docs-content # **Why we have it**: REST API updates cannot be made in the open source repo. Instead, we copy the issue to an internal issue (we do not transfer so that the issue does not disappear for the contributor) and close the original issue. # **Who does it impact**: Open source and docs-content maintainers -permissions: - contents: write - on: issues: types: - labeled +permissions: + contents: none + jobs: transfer-issue: name: Transfer issue diff --git a/.github/workflows/triage-issue-comments.yml b/.github/workflows/triage-issue-comments.yml index 0d06cd78257e..d99bc0973bc8 100644 --- a/.github/workflows/triage-issue-comments.yml +++ b/.github/workflows/triage-issue-comments.yml @@ -11,6 +11,7 @@ on: permissions: issues: write + repository-projects: write jobs: triage-issue-comments: @@ -22,7 +23,6 @@ jobs: uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d id: is-internal-contributor with: - github-token: ${{ secrets.GITHUB_TOKEN }} result-encoding: string script: | const repo = context.payload.repository.name diff --git a/.github/workflows/triage-pull-requests.yml b/.github/workflows/triage-pull-requests.yml index 894acb1ecf5c..5a5088d3f6f6 100644 --- a/.github/workflows/triage-pull-requests.yml +++ b/.github/workflows/triage-pull-requests.yml @@ -13,7 +13,6 @@ on: permissions: pull-requests: write repository-projects: write - issues: write jobs: triage_pulls: diff --git a/.github/workflows/triage-unallowed-contributions.yml b/.github/workflows/triage-unallowed-contributions.yml index 30e1d18494aa..8d0bc4244216 100644 --- a/.github/workflows/triage-unallowed-contributions.yml +++ b/.github/workflows/triage-unallowed-contributions.yml @@ -24,6 +24,9 @@ on: - 'scripts/**' - 'translations/**' +permissions: + pull-requests: write + jobs: triage: if: >- @@ -75,7 +78,6 @@ jobs: if: ${{ steps.filter.outputs.notAllowed }} uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d with: - github-token: ${{ secrets.GITHUB_TOKEN }} script: | const badFilesArr = [ '.github/actions-scripts/**', @@ -102,7 +104,7 @@ jobs: let workflowFailMessage = "It looks like you've modified some files that we can't accept as contributions." try { - createdComment = await github.issues.createComment ({ + createdComment = await github.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.payload.number, diff --git a/.github/workflows/triage-unallowed-internal-changes.yml b/.github/workflows/triage-unallowed-internal-changes.yml index d79127c62e2a..f184606f7a05 100644 --- a/.github/workflows/triage-unallowed-internal-changes.yml +++ b/.github/workflows/triage-unallowed-internal-changes.yml @@ -13,6 +13,10 @@ on: - reopened - synchronize +permissions: + # This is needed by dorny/paths-filter + pull-requests: read + jobs: check-internal-changes: if: github.repository == 'github/docs-internal' && github.event.pull_request.user.login != 'Octomerger' diff --git a/.github/workflows/update-graphql-files.yml b/.github/workflows/update-graphql-files.yml index 2a59e11c0ff6..9d984311e1b3 100644 --- a/.github/workflows/update-graphql-files.yml +++ b/.github/workflows/update-graphql-files.yml @@ -9,6 +9,10 @@ on: schedule: - cron: '20 16 * * *' # run every day at 16:20 UTC / 8:20 PST +permissions: + contents: write + pull-requests: write + # **IMPORTANT:** Do not change the FREEZE environment variable set here! # This workflow runs on a recurring basis. To temporarily disable it (e.g., # during a docs deployment freeze), add an Actions Secret to the repo settings diff --git a/.github/workflows/workflow-lint.yml b/.github/workflows/workflow-lint.yml index 687f73483a73..d2e55b215c48 100644 --- a/.github/workflows/workflow-lint.yml +++ b/.github/workflows/workflow-lint.yml @@ -17,6 +17,9 @@ on: - '.github/workflows/*.yml' - '.github/workflows/*.yaml' +permissions: + contents: read + jobs: lint: if: ${{ github.repository == 'github/docs-internal' }} diff --git a/components/article/ArticlePage.tsx b/components/article/ArticlePage.tsx index 4b34b8144251..c1ac03e44651 100644 --- a/components/article/ArticlePage.tsx +++ b/components/article/ArticlePage.tsx @@ -1,8 +1,9 @@ import { useRouter } from 'next/router' +import { useState } from 'react' import cx from 'classnames' import { ActionList, Heading } from '@primer/components' -import { ZapIcon, InfoIcon, ShieldLockIcon } from '@primer/octicons-react' +import { ChevronDownIcon, ZapIcon, InfoIcon, ShieldLockIcon } from '@primer/octicons-react' import { Callout } from 'components/ui/Callout' import { Link } from 'components/Link' @@ -60,8 +61,9 @@ export const ArticlePage = () => { } = useArticleContext() const { t } = useTranslation('pages') const currentPath = router.asPath.split('?')[0] + const [isActive, setActive] = useState(-1) - const renderTocItem = (item: MiniTocItem) => { + const renderTocItem = (item: MiniTocItem, index: number) => { return ( { sx={{ listStyle: 'none', padding: '2px' }} >
-
+
+ {item.items && item.items.length > 0 && ( + + )} {item.items && item.items.length > 0 ? ( -
    {item.items.map(renderTocItem)}
+
    + {item.items.map(renderTocItem)} +
) : null}
@@ -146,7 +158,7 @@ export const ArticlePage = () => { return { key: title + i, text: title, - renderItem: () =>
    {renderTocItem(items)}
, + renderItem: () =>
    {renderTocItem(items, i)}
, } })} /> diff --git a/tests/rendering/server.js b/tests/rendering/server.js index 7d7ef021fc5c..82ba123ca709 100644 --- a/tests/rendering/server.js +++ b/tests/rendering/server.js @@ -344,7 +344,7 @@ describe('server', () => { ) expect($('h2#in-this-article').length).toBe(1) expect($('h2#in-this-article + div div ul').length).toBeGreaterThan(0) // non-indented items - expect($('h2#in-this-article + div div ul li div div div ul.ml-3').length).toBeGreaterThan(0) // indented items + expect($('h2#in-this-article + div div ul li div div div ul li').length).toBeGreaterThan(0) // indented items }) test('does not render mini TOC in articles with only one heading', async () => {