From 4855e56f3c99c47f371ff0e1b77d09b0705078ea Mon Sep 17 00:00:00 2001
From: Ismo Vuorinen <ismo@ivuorinen.net>
Date: Sat, 8 Mar 2025 02:27:49 +0200
Subject: [PATCH] chore(ci): update workflows

---
 .github/workflows/changelog.yml             |  9 +++++++++
 .github/workflows/linters.yml               |  6 +++---
 .github/workflows/new-release.yml           |  6 +-----
 .github/workflows/pre-commit-autoupdate.yml |  9 +++++++++
 .github/workflows/semantic-pr.yml           |  3 +++
 .github/workflows/sync-labels.yml           |  6 +++++-
 .github/workflows/update-submodules.yml     | 14 ++++++++++----
 7 files changed, 40 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index 68d39c8..5673a9a 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -1,19 +1,28 @@
 ---
 # yaml-language-server: https://json.schemastore.org/github-workflow.json
 name: Debug Changelog # Workflow name displayed on GitHub
+
 on:
   workflow_dispatch: # Trigger manually
+
+permissions: read-all
+
 jobs:
   debug-changelog:
     runs-on: self-hosted
+
+    permissions: write-all
+
     steps:
       - uses: actions/checkout@v4
+
       - name: Create changelog text
         id: changelog
         uses: loopwerk/tag-changelog@v1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           config_file: .github/tag-changelog-config.js
+
       - name: 'Echo results'
         id: output-changelog
         run: |
diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
index dd14032..3eac968 100644
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -4,15 +4,15 @@ name: reviewdog
 
 on: [push]
 
+permissions: read-all
+
 jobs:
   linters:
     name: Linters
 
     runs-on: self-hosted
 
-    permissions:
-      contents: write
-      workflows: write
+    permissions: write-all
 
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/new-release.yml b/.github/workflows/new-release.yml
index a38a64a..8dd8caa 100644
--- a/.github/workflows/new-release.yml
+++ b/.github/workflows/new-release.yml
@@ -13,11 +13,7 @@ jobs:
   new-daily-release:
     runs-on: self-hosted
 
-    permissions:
-      contents: write
-      pull-request: write
-      release: write
-      workflows: write
+    permissions: write-all
 
     outputs:
       created: ${{ steps.daily-version.outputs.created }}
diff --git a/.github/workflows/pre-commit-autoupdate.yml b/.github/workflows/pre-commit-autoupdate.yml
index 9ce006f..d4121d4 100644
--- a/.github/workflows/pre-commit-autoupdate.yml
+++ b/.github/workflows/pre-commit-autoupdate.yml
@@ -1,21 +1,30 @@
 ---
 # yaml-language-server: https://json.schemastore.org/github-workflow.json
 name: Pre-commit autoupdate
+
 on:
   schedule:
     # At 04:00 on Monday and Thursday.
     - cron: "0 4 * * 1,4"
   workflow_dispatch:
+
+permissions: read-all
+
 jobs:
   auto-update:
     runs-on: ubuntu-latest
+
     permissions:
       contents: write
       pull-requests: write
+
     steps:
       - uses: actions/checkout@v4
+
       - uses: actions/setup-python@v5.4.0
+
       - run: pip install pre-commit && pre-commit autoupdate
+
       - uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/semantic-pr.yml b/.github/workflows/semantic-pr.yml
index cdfe457..d3ef06b 100644
--- a/.github/workflows/semantic-pr.yml
+++ b/.github/workflows/semantic-pr.yml
@@ -9,9 +9,12 @@ on:
       - edited
       - synchronize
 
+permissions: read-all
+
 jobs:
   semantic-pr:
     runs-on: self-hosted
+
     steps:
       - uses: amannn/action-semantic-pull-request@v5.5.3
         env:
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index 295fb9d..605f7b7 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -15,10 +15,14 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   SyncLabels:
+    runs-on: ubuntu-latest
+
     permissions:
       issues: write
-    runs-on: ubuntu-latest
+
     steps:
       - uses: ivuorinen/actions/sync-labels@main
diff --git a/.github/workflows/update-submodules.yml b/.github/workflows/update-submodules.yml
index 3ffef36..a29aaa8 100644
--- a/.github/workflows/update-submodules.yml
+++ b/.github/workflows/update-submodules.yml
@@ -1,29 +1,35 @@
 ---
 # yaml-language-server: https://json.schemastore.org/github-workflow.json
 name: Update submodules
+
 on:
   schedule:
     # At 04:00 on Monday and Thursday.
     - cron: "0 4 * * 1,4"
   workflow_dispatch:
+
+permissions: read-all
+
 jobs:
   update-submodules:
-    permissions:
-      contents: write
-      issues: write
-      pull-requests: write
     runs-on: self-hosted
+
+    permissions: write-all
+
     steps:
+
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           submodules: true
           fetch-depth: 2
           token: ${{secrets.GITHUB_TOKEN}}
+
       - name: Config Git User
         run: |
           git config --global user.name "${{ github.actor }}"
           git config --global user.email "${{ github.actor }}@users.noreply.github.com"
+
       - name: Update submodules
         run: |
           git submodule sync