build: Remove redundant confusing Mega Linter permissions

Signed-off-by: Michael Vorburger <mike@vorburger.ch>
www-learn-study · Nov 2, 2023 · 4209614 · 4209614
1 parent 6eadd17
commit 4209614
Showing 1 changed file with 4 additions and 8 deletions.
diff --git a/.github/workflows/mega-linter.yaml b/.github/workflows/mega-linter.yaml
@@ -36,8 +36,11 @@ concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+# NB: The "Maximum access for pull requests from public forked repositories" is still only read, even though we ask for write here;
+# this only applies to branches on the repo itself. This makes sense security wise (committers who you can push to branches, are implictily already "trusted" anyway, as they could merge PRs).
 permissions:
-  contents: read
+  contents: write
   pull-requests: write
   issues: write
 
@@ -46,13 +49,6 @@ jobs:
     name: MegaLinter
     runs-on: ubuntu-latest
 
-    # Give the default GITHUB_TOKEN write permission to commit and push, comment
-    # issues, and post new Pull Requests; remove the ones you do not need
-    permissions:
-      contents: write
-      issues: write
-      pull-requests: write
-
     steps:
       # Git Checkout
       - name: Harden Runner