From c18ea6bebed91f10d29ea81347a5945c03a91e52 Mon Sep 17 00:00:00 2001
From: Ismo Vuorinen <ismo@ivuorinen.net>
Date: Wed, 21 Aug 2024 11:03:25 +0300
Subject: [PATCH] chore(workflows): set workflow permissions in jobs

---
 .github/workflows/composer-install.yml           |  8 ++++----
 .github/workflows/compress-images.yml            | 12 +++++++-----
 .github/workflows/dependency-review.yml          |  5 ++---
 .github/workflows/laravel-phpunit.yml            | 10 +++++-----
 .github/workflows/pr-compress-images.yml         | 11 ++++++-----
 .github/workflows/pr-lint.yml                    | 16 ++++++++--------
 .github/workflows/release-drafter.yml            |  7 +++----
 .github/workflows/release-monthly.yaml           |  5 ++---
 .github/workflows/reviewdog-linters.yml          | 11 ++++++-----
 .github/workflows/stale.yml                      | 11 ++++++-----
 .../workflows/sync-labels-to-own-projects.yml    |  7 +++----
 .github/workflows/sync-labels.yml                |  5 ++---
 12 files changed, 54 insertions(+), 54 deletions(-)

diff --git a/.github/workflows/composer-install.yml b/.github/workflows/composer-install.yml
index 4b9cdca..7661b9b 100644
--- a/.github/workflows/composer-install.yml
+++ b/.github/workflows/composer-install.yml
@@ -8,14 +8,14 @@ on:
       - "composer.json"
       - "composer.lock"
 
-permissions:
-  contents: write
-  statuses: write
-
 jobs:
   ComposerInstall:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+      statuses: write
+
     strategy:
       matrix:
         operating-system: ["ubuntu-latest"]
diff --git a/.github/workflows/compress-images.yml b/.github/workflows/compress-images.yml
index c9db34c..37c933c 100644
--- a/.github/workflows/compress-images.yml
+++ b/.github/workflows/compress-images.yml
@@ -8,15 +8,17 @@ on:
   schedule:
     - cron: "00 23 * * 0"
 
-permissions:
-  contents: write
-  statuses: write
-  pull-requests: write
-
 jobs:
   CompressOnDemandOrSchedule:
     name: calibreapp/image-actions
+
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      statuses: write
+      pull-requests: write
+
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 5efa8b2..d4889c4 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -12,12 +12,11 @@ name: "Dependency Review"
 
 on: [pull_request]
 
-permissions:
-  contents: read
-
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@v4
diff --git a/.github/workflows/laravel-phpunit.yml b/.github/workflows/laravel-phpunit.yml
index 015103d..653cd86 100644
--- a/.github/workflows/laravel-phpunit.yml
+++ b/.github/workflows/laravel-phpunit.yml
@@ -7,18 +7,18 @@ on:
   pull_request:
     branches: [main]
 
-permissions:
-  contents: write
-  statuses: write
-
 jobs:
   laravel-tests:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+      statuses: write
+
     steps:
       - uses: shivammathur/setup-php@v2
         with:
-          php-version: "8.1"
+          php-version: "8.3"
 
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/pr-compress-images.yml b/.github/workflows/pr-compress-images.yml
index 05b8d96..3500ba3 100644
--- a/.github/workflows/pr-compress-images.yml
+++ b/.github/workflows/pr-compress-images.yml
@@ -11,17 +11,18 @@ on:
       - "**.png"
       - "**.webp"
 
-permissions:
-  contents: write
-  statuses: write
-  pull-requests: write
-
 jobs:
   CompressInPR:
     # Only run on Pull Requests within the same repository, and not from forks.
     if: github.event.pull_request.head.repo.full_name == github.repository
     name: calibreapp/image-actions
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      statuses: write
+      pull-requests: write
+
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml
index 983580f..ba3321f 100644
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -24,14 +24,6 @@ on:
   pull_request:
     branches: [master, main]
 
-############################################
-# Grant status permission for MULTI_STATUS #
-############################################
-permissions:
-  contents: read
-  packages: read
-  statuses: write
-
 ###############
 # Set the Job #
 ###############
@@ -42,6 +34,14 @@ jobs:
     # Set the agent to run on
     runs-on: ubuntu-latest
 
+    ############################################
+    # Grant status permission for MULTI_STATUS #
+    ############################################
+    permissions:
+      contents: read
+      packages: read
+      statuses: write
+
     ##################
     # Load all steps #
     ##################
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index a849de8..c3e3094 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -4,14 +4,13 @@ name: Release Drafter
 on:
   workflow_call:
 
-permissions:
-  contents: write
-  statuses: write
-
 jobs:
   update_release_draft:
     name: ✏️ Draft release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      statuses: write
     steps:
       - name: 🚀 Run Release Drafter
         uses: release-drafter/release-drafter@v6.0.0
diff --git a/.github/workflows/release-monthly.yaml b/.github/workflows/release-monthly.yaml
index 008a466..aa98656 100644
--- a/.github/workflows/release-monthly.yaml
+++ b/.github/workflows/release-monthly.yaml
@@ -7,13 +7,12 @@ on:
   schedule:
     - cron: "0 0 1 * *" # 1st of every month at midnight
 
-permissions:
-  contents: write
-
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
diff --git a/.github/workflows/reviewdog-linters.yml b/.github/workflows/reviewdog-linters.yml
index 8346b28..05c3d7f 100644
--- a/.github/workflows/reviewdog-linters.yml
+++ b/.github/workflows/reviewdog-linters.yml
@@ -3,15 +3,16 @@ name: Reviewdog Linters
 
 on: [push]
 
-permissions:
-  contents: read
-  packages: read
-  statuses: write
-
 jobs:
   linters:
     name: Linters
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: read
+      statuses: write
+
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index c007975..b03940f 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -7,15 +7,16 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions:
-  contents: write # only for delete-branch option
-  issues: write
-  pull-requests: write
-
 jobs:
   stale:
     name: 🧹 Clean up stale issues and PRs
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # only for delete-branch option
+      issues: write
+      pull-requests: write
+
     steps:
       - name: 🚀 Run stale
         uses: actions/stale@v9.0.0
diff --git a/.github/workflows/sync-labels-to-own-projects.yml b/.github/workflows/sync-labels-to-own-projects.yml
index b301809..60bf7a7 100644
--- a/.github/workflows/sync-labels-to-own-projects.yml
+++ b/.github/workflows/sync-labels-to-own-projects.yml
@@ -12,13 +12,12 @@ on:
   schedule:
     - cron: "0 0 * * *" # Every day at midnight
 
-permissions:
-  contents: write
-  statuses: write
-
 jobs:
   sync-labels:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      statuses: write
     outputs:
       repos: ${{ steps.repos.outputs.REPOS }}
     steps:
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index 8c7da12..5e5de18 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -13,13 +13,12 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions:
-  issues: write
-
 jobs:
   labels:
     name: ♻️ Sync labels
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: ⤵️ Download latest labels definitions
         run: |