Merge eace203 into c38a566

.github/workflows/codeql-analysis.yml

@@ -12,8 +12,15 @@ on:
   schedule:
     - cron: "0 23 * * 0"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
+    permissions:
+      actions: read # for github/codeql-action/init to get workflow details
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/analyze to upload SARIF results
     name: Analyze
     runs-on: ubuntu-latest
 
@@ -31,3 +38,4 @@ jobs:
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v1
+# cspell:ignore SARIF

.github/workflows/coverage.yml

@@ -19,8 +19,14 @@ on:
       - ".github/workflows/coverage.yml"
       - "!docs/**"
 
+permissions:
+  contents: read
+
 jobs:
   coverage:
+    permissions:
+      checks: write # for coverallsapp/github-action to create new checks
+      contents: read # for actions/checkout to fetch code
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/cspell-action.yml

@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   cspell:
     runs-on: ubuntu-latest

.github/workflows/cspell-cli.yml

@@ -7,6 +7,9 @@ on:
   # Run on demand
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   cspell:
     runs-on: ubuntu-latest

.github/workflows/cspell4-integration-update.yml

@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "0 9 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   update-dependencies:
     if: github.repository_owner == 'streetsidesoftware'

.github/workflows/integration-test.yml

@@ -21,6 +21,9 @@ on:
   # Run on demand
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   integration-tests:
     runs-on: ${{ matrix.os }}

.github/workflows/issues-lock.yml

@@ -5,8 +5,13 @@ on:
     - cron: "30 5 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write # for dessant/lock-threads to lock issues
     runs-on: ubuntu-latest
     steps:
       - uses: dessant/lock-threads@v3.0.0

.github/workflows/lint-docs.yml

@@ -9,6 +9,9 @@ on:
     paths:
       - "docs/**"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest

.github/workflows/lint.yml

@@ -9,6 +9,9 @@ on:
     paths-ignore:
       - "docs/**"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest

.github/workflows/publish.yml

@@ -18,8 +18,13 @@ on:
         default: next
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   stub:
+    permissions:
+      contents: none
     runs-on: ubuntu-latest
     steps:
       - run: echo "Publish Stub"

.github/workflows/release-drafter.yml

@@ -12,8 +12,38 @@ on:
   # Run on demand
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
+  update_pr_labels:
+    if: github.ref != 'refs/heads/main'
+    permissions:
+      pull-requests: write # for release-drafter/release-drafter to add label to PR
+    runs-on: ubuntu-latest
+    steps:
+      # (Optional) GitHub Enterprise requires GHE_HOST variable set
+      #- name: Set GHE_HOST
+      #  run: |
+      #    echo "GHE_HOST=${GITHUB_SERVER_URL##https:\/\/}" >> $GITHUB_ENV
+
+      # Drafts your next Release notes as Pull Requests are merged into "master"
+      - uses: release-drafter/release-drafter@v5
+        # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
+        # with:
+        #   config-name: my-config.yml
+        #   disable-autolabeler: true
+        with:
+          # See [Release Drafter is *sometimes* including unmerged PRs · Issue #917 · release-drafter/release-drafter](https://github.com/release-drafter/release-drafter/issues/917)
+          disable-releaser: true
+          disable-autolabeler: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   update_release_draft:
+    if: github.ref == 'refs/heads/main'
+    permissions:
+      contents: write # needed by release-drafter/release-drafter to write to the draft release.
     runs-on: ubuntu-latest
     steps:
       # (Optional) GitHub Enterprise requires GHE_HOST variable set
@@ -29,7 +59,8 @@ jobs:
         #   disable-autolabeler: true
         with:
           # See [Release Drafter is *sometimes* including unmerged PRs · Issue #917 · release-drafter/release-drafter](https://github.com/release-drafter/release-drafter/issues/917)
-          disable-releaser: github.ref != 'refs/heads/main'
+          disable-releaser: false
+          disable-autolabeler: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 # cspell:ignore auto* *labeler

.github/workflows/test-build-docs.yml

@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   test-build-docs:
     runs-on: ${{ matrix.os }}

.github/workflows/test.yml

@@ -14,6 +14,9 @@ on:
     paths-ignore:
       - "docs/**"
 
+permissions:
+  contents: read
+
 jobs:
   test-node-versions:
     runs-on: ${{ matrix.os }}

.github/workflows/update-dependencies-cspell4.yml

@@ -16,6 +16,9 @@ on:
   schedule:
     - cron: "0 12 * * 0"
 
+permissions:
+  contents: read
+
 jobs:
   update-dependencies:
     if: github.repository_owner == 'streetsidesoftware'

.github/workflows/update-dependencies.yml

@@ -17,6 +17,9 @@ on:
   schedule:
     - cron: "0 12 * * 0"
 
+permissions:
+  contents: read
+
 jobs:
   update-dependencies:
     if: github.repository_owner == 'streetsidesoftware'

.github/workflows/update-docs.yml

@@ -8,6 +8,9 @@ on:
       - "packages/cspell-types/**/*.ts"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update-dependencies:
     if: github.repository_owner == 'streetsidesoftware'

.github/workflows/update-integration-snapshots.yml

@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "0 8 * * 1" # Monday at 8 UTC
 
+permissions:
+  contents: read
+
 jobs:
   update:
     if: github.repository_owner == 'streetsidesoftware'

.github/workflows/version.yml

@@ -8,6 +8,9 @@ on:
         default: main
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   version:
     runs-on: ubuntu-latest