chore(workflows): set workflow permissions in jobs

2026-01-26 03:13:57 +00:00 · 2024-08-21 11:03:25 +03:00
parent 92b8749e34
commit c18ea6bebe
12 changed files with 54 additions and 54 deletions
--- a/.github/workflows/composer-install.yml
+++ b/.github/workflows/composer-install.yml
@@ -8,14 +8,14 @@ on:
      - "composer.json"
      - "composer.lock"

-permissions:
-  contents: write
-  statuses: write
-
 jobs:
  ComposerInstall:
    runs-on: ubuntu-latest

+    permissions:
+      contents: write
+      statuses: write
+
    strategy:
      matrix:
        operating-system: ["ubuntu-latest"]
--- a/.github/workflows/compress-images.yml
+++ b/.github/workflows/compress-images.yml
@@ -8,15 +8,17 @@ on:
  schedule:
    - cron: "00 23 * * 0"

-permissions:
-  contents: write
-  statuses: write
-  pull-requests: write
-
 jobs:
  CompressOnDemandOrSchedule:
    name: calibreapp/image-actions
+
    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      statuses: write
+      pull-requests: write
+
    steps:
      - name: Checkout Repo
        uses: actions/checkout@v4
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -12,12 +12,11 @@ name: "Dependency Review"

 on: [pull_request]

-permissions:
-  contents: read
-
 jobs:
  dependency-review:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      - name: "Checkout Repository"
        uses: actions/checkout@v4
--- a/.github/workflows/laravel-phpunit.yml
+++ b/.github/workflows/laravel-phpunit.yml
@@ -7,18 +7,18 @@ on:
  pull_request:
    branches: [main]

-permissions:
-  contents: write
-  statuses: write
-
 jobs:
  laravel-tests:
    runs-on: ubuntu-latest

+    permissions:
+      contents: write
+      statuses: write
+
    steps:
      - uses: shivammathur/setup-php@v2
        with:
-          php-version: "8.1"
+          php-version: "8.3"

      - uses: actions/checkout@v4

--- a/.github/workflows/pr-compress-images.yml
+++ b/.github/workflows/pr-compress-images.yml
@@ -11,17 +11,18 @@ on:
      - "**.png"
      - "**.webp"

-permissions:
-  contents: write
-  statuses: write
-  pull-requests: write
-
 jobs:
  CompressInPR:
    # Only run on Pull Requests within the same repository, and not from forks.
    if: github.event.pull_request.head.repo.full_name == github.repository
    name: calibreapp/image-actions
    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      statuses: write
+      pull-requests: write
+
    steps:
      - name: Checkout Repo
        uses: actions/checkout@v4
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -24,14 +24,6 @@ on:
  pull_request:
    branches: [master, main]

-############################################
-# Grant status permission for MULTI_STATUS #
-############################################
-permissions:
-  contents: read
-  packages: read
-  statuses: write
-
 ###############
 # Set the Job #
 ###############
@@ -42,6 +34,14 @@ jobs:
    # Set the agent to run on
    runs-on: ubuntu-latest

+    ############################################
+    # Grant status permission for MULTI_STATUS #
+    ############################################
+    permissions:
+      contents: read
+      packages: read
+      statuses: write
+
    ##################
    # Load all steps #
    ##################
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -4,14 +4,13 @@ name: Release Drafter
 on:
  workflow_call:

-permissions:
-  contents: write
-  statuses: write
-
 jobs:
  update_release_draft:
    name: ✏️ Draft release
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      statuses: write
    steps:
      - name: 🚀 Run Release Drafter
        uses: release-drafter/release-drafter@v6.0.0
--- a/.github/workflows/release-monthly.yaml
+++ b/.github/workflows/release-monthly.yaml
@@ -7,13 +7,12 @@ on:
  schedule:
    - cron: "0 0 1 * *" # 1st of every month at midnight

-permissions:
-  contents: write
-
 jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
--- a/.github/workflows/reviewdog-linters.yml
+++ b/.github/workflows/reviewdog-linters.yml
@@ -3,15 +3,16 @@ name: Reviewdog Linters

 on: [push]

-permissions:
-  contents: read
-  packages: read
-  statuses: write
-
 jobs:
  linters:
    name: Linters
    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: read
+      statuses: write
+
    steps:
      - uses: actions/checkout@v4

--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -7,15 +7,16 @@ on:
  workflow_call:
  workflow_dispatch:

-permissions:
-  contents: write # only for delete-branch option
-  issues: write
-  pull-requests: write
-
 jobs:
  stale:
    name: 🧹 Clean up stale issues and PRs
    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # only for delete-branch option
+      issues: write
+      pull-requests: write
+
    steps:
      - name: 🚀 Run stale
        uses: actions/stale@v9.0.0
--- a/.github/workflows/sync-labels-to-own-projects.yml
+++ b/.github/workflows/sync-labels-to-own-projects.yml
@@ -12,13 +12,12 @@ on:
  schedule:
    - cron: "0 0 * * *" # Every day at midnight

-permissions:
-  contents: write
-  statuses: write
-
 jobs:
  sync-labels:
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      statuses: write
    outputs:
      repos: ${{ steps.repos.outputs.REPOS }}
    steps:
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -13,13 +13,12 @@ on:
  workflow_call:
  workflow_dispatch:

-permissions:
-  issues: write
-
 jobs:
  labels:
    name: ♻️ Sync labels
    runs-on: ubuntu-latest
+    permissions:
+      issues: write
    steps:
      - name: ⤵️ Download latest labels definitions
        run: |