ci: Update Workflow Permissions (#889)

* Update Permissions
streetsidesoftware · Aug 15, 2022 · 8cf78ba · 8cf78ba
1 parent ff09c66
commit 8cf78ba
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 0 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -6,6 +6,9 @@ on: # rebuild any PRs and main branch changes
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   cspell:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -3,6 +3,17 @@ on:
   push:
     branches:
       - main
+
+permissions:
+  actions: read
+  checks: write
+  contents: write
+  issues: read
+  packages: write
+  pull-requests: write
+  repository-projects: read
+  statuses: read
+
 name: release-please
 jobs:
   release-please:

diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml
@@ -5,6 +5,9 @@ on: # rebuild any PRs and main branch changes
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   test-action: # run the action
     runs-on: ubuntu-latest
@@ -72,3 +75,38 @@ jobs:
           outputs: ${{ toJSON(steps.cspell-action.outputs) }}
         run: |
           echo "$outputs"
+
+  # Experiment with writing the status to a PR.
+  # show_status:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - name: Env
+  #       env:
+  #         github: ${{ toJSON(github) }}
+  #       run: |
+  #         echo GITHUB_REPOSITORY_OWNER=$GITHUB_REPOSITORY_OWNER
+  #         echo GITHUB_REPOSITORY=$GITHUB_REPOSITORY
+  #         echo GITHUB_REF=$GITHUB_REF
+  #         echo SHA=${{ github.event.pull_request.head.sha || env.GITHUB_SHA }}
+  #         echo github="$github"
+  #         env
+  #     - name: GH Status
+  #       env:
+  #         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #       run: |
+  #         gh api \
+  #           -H "Accept: application/vnd.github+json" \
+  #           /repos/$GITHUB_REPOSITORY/commits/$GITHUB_REF/statuses
+  #     - name: Write Status
+  #       env:
+  #         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #         SHA: ${{ github.event.pull_request.head.sha || env.GITHUB_SHA }}
+  #       run: |
+  #         gh api \
+  #           --method POST \
+  #           -H "Accept: application/vnd.github+json" \
+  #           /repos/$GITHUB_REPOSITORY/statuses/$SHA \
+  #           -f state='success' \
+  #           -f target_url='https://example.com/build/status' \
+  #           -f description='The test succeeded!' \
+  #           -f context='continuous-integration/testing for fun'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -5,6 +5,9 @@ on: # rebuild any PRs and main branch changes
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   action-is-pristine: # make sure nothing changes in the action.
     runs-on: ubuntu-latest

diff --git a/.github/workflows/update-cspell.yml b/.github/workflows/update-cspell.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "0 12 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   update-cspell:
     if: github.repository_owner == 'streetsidesoftware'

diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "0 12 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   update-dependencies:
     if: github.repository_owner == 'streetsidesoftware'