diff --git a/.github/workflows/composer-install.yml b/.github/workflows/composer-install.yml index 993fda7..4b9cdca 100644 --- a/.github/workflows/composer-install.yml +++ b/.github/workflows/composer-install.yml @@ -8,6 +8,10 @@ on: - "composer.json" - "composer.lock" +permissions: + contents: write + statuses: write + jobs: ComposerInstall: runs-on: ubuntu-latest diff --git a/.github/workflows/compress-images.yml b/.github/workflows/compress-images.yml index 8bfc312..c9db34c 100644 --- a/.github/workflows/compress-images.yml +++ b/.github/workflows/compress-images.yml @@ -2,10 +2,17 @@ # Compress images on demand (workflow_dispatch), and at 11pm every Sunday (schedule). # Open a Pull Request if any images can be compressed. name: Compress Images on Demand + on: workflow_dispatch: schedule: - cron: "00 23 * * 0" + +permissions: + contents: write + statuses: write + pull-requests: write + jobs: CompressOnDemandOrSchedule: name: calibreapp/image-actions diff --git a/.github/workflows/laravel-phpunit.yml b/.github/workflows/laravel-phpunit.yml index 940e459..015103d 100644 --- a/.github/workflows/laravel-phpunit.yml +++ b/.github/workflows/laravel-phpunit.yml @@ -7,6 +7,10 @@ on: pull_request: branches: [main] +permissions: + contents: write + statuses: write + jobs: laravel-tests: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-compress-images.yml b/.github/workflows/pr-compress-images.yml index 590a407..05b8d96 100644 --- a/.github/workflows/pr-compress-images.yml +++ b/.github/workflows/pr-compress-images.yml @@ -1,5 +1,6 @@ --- name: Compress Images + on: pull_request: # Run Image Actions when JPG, JPEG, PNG or WebP files are added or changed. @@ -9,6 +10,12 @@ on: - "**.jpeg" - "**.png" - "**.webp" + +permissions: + contents: write + statuses: write + pull-requests: write + jobs: CompressInPR: # Only run on Pull Requests within the same repository, and not from forks. diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index 5188706..771e7b5 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -24,6 +24,14 @@ on: pull_request: branches: [master, main] +############################################ +# Grant status permission for MULTI_STATUS # +############################################ +permissions: + contents: read + packages: read + statuses: write + ############### # Set the Job # ############### @@ -34,14 +42,6 @@ jobs: # Set the agent to run on runs-on: ubuntu-latest - ############################################ - # Grant status permission for MULTI_STATUS # - ############################################ - permissions: - contents: read - packages: read - statuses: write - ################## # Load all steps # ################## diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index df82233..a849de8 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -4,6 +4,10 @@ name: Release Drafter on: workflow_call: +permissions: + contents: write + statuses: write + jobs: update_release_draft: name: ✏️ Draft release diff --git a/.github/workflows/reviewdog-linters.yml b/.github/workflows/reviewdog-linters.yml index b034c11..8346b28 100644 --- a/.github/workflows/reviewdog-linters.yml +++ b/.github/workflows/reviewdog-linters.yml @@ -3,6 +3,11 @@ name: Reviewdog Linters on: [push] +permissions: + contents: read + packages: read + statuses: write + jobs: linters: name: Linters diff --git a/.github/workflows/sync-labels-to-own-projects.yml b/.github/workflows/sync-labels-to-own-projects.yml index b26656b..b301809 100644 --- a/.github/workflows/sync-labels-to-own-projects.yml +++ b/.github/workflows/sync-labels-to-own-projects.yml @@ -12,6 +12,10 @@ on: schedule: - cron: "0 0 * * *" # Every day at midnight +permissions: + contents: write + statuses: write + jobs: sync-labels: runs-on: ubuntu-latest