From e300fbd6ad874556bba1a96fb07a54ce30b51109 Mon Sep 17 00:00:00 2001 From: Joey Parrish Date: Mon, 9 Dec 2024 14:21:31 -0800 Subject: [PATCH] ci: Update workflow permissions Now that default permissions are read-only, we must enable specific permissions for certain workflow jobs. --- .github/workflows/deflake.yaml | 3 +++ .github/workflows/selenium-lab-tests.yaml | 9 +++++++++ .github/workflows/sync-labels.yaml | 5 +++++ .github/workflows/update-issues.yaml | 11 +++++++---- .github/workflows/update-screenshots.yaml | 10 ++++++++++ 5 files changed, 34 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deflake.yaml b/.github/workflows/deflake.yaml index 9f60b0c964..c764275739 100644 --- a/.github/workflows/deflake.yaml +++ b/.github/workflows/deflake.yaml @@ -15,6 +15,9 @@ jobs: deflake: if: ${{ github.event.workflow_run.conclusion == 'failure' }} runs-on: ubuntu-latest + permissions: + # "Write" to Actions to enable rerun command. + actions: write steps: - name: Check run count and re-run workflow diff --git a/.github/workflows/selenium-lab-tests.yaml b/.github/workflows/selenium-lab-tests.yaml index 56bf6d9b3e..5ffc9aff6c 100644 --- a/.github/workflows/selenium-lab-tests.yaml +++ b/.github/workflows/selenium-lab-tests.yaml @@ -145,6 +145,11 @@ jobs: name: Pre-build Player needs: compute-sha runs-on: ubuntu-latest + + permissions: + # "Write" to statuses to update commit status + statuses: write + steps: - uses: actions/checkout@v4 with: @@ -209,6 +214,10 @@ jobs: # lab's Selenium grid on port 4444. runs-on: self-hosted-selenium + permissions: + # "Write" to statuses to update commit status + statuses: write + # Only one run of this job is allowed at a time, since it uses physical # resources in our lab. concurrency: diff --git a/.github/workflows/sync-labels.yaml b/.github/workflows/sync-labels.yaml index 0b679eab38..ac1b6caa69 100644 --- a/.github/workflows/sync-labels.yaml +++ b/.github/workflows/sync-labels.yaml @@ -16,6 +16,11 @@ on: jobs: sync-labels: runs-on: ubuntu-latest + + permissions: + # "Write" to Issues to manage labels for the repo + issues: write + steps: - name: Checkout code uses: actions/checkout@v4 diff --git a/.github/workflows/update-issues.yaml b/.github/workflows/update-issues.yaml index 6424ce19ae..29b6984a65 100644 --- a/.github/workflows/update-issues.yaml +++ b/.github/workflows/update-issues.yaml @@ -8,13 +8,16 @@ on: # Run every 30 minutes - cron: '*/30 * * * *' -permissions: - issues: write - pull-requests: write - jobs: update-issues: runs-on: ubuntu-latest + + permissions: + # "Write" to Issues to add labels, milestones, comments, etc. + issues: write + # "Write" to Pull Requests for the same. + pull-requests: write + steps: - name: Checkout code uses: actions/checkout@v4 diff --git a/.github/workflows/update-screenshots.yaml b/.github/workflows/update-screenshots.yaml index 28848ad991..6a49b08a50 100644 --- a/.github/workflows/update-screenshots.yaml +++ b/.github/workflows/update-screenshots.yaml @@ -29,6 +29,11 @@ jobs: name: Set Pending Status needs: compute-sha runs-on: ubuntu-latest + + permissions: + # "Write" to statuses to update commit status + statuses: write + steps: - uses: actions/checkout@v4 with: @@ -107,6 +112,11 @@ jobs: set-final-status: name: Set Final Status runs-on: ubuntu-latest + + permissions: + # "Write" to statuses to update commit status + statuses: write + needs: [compute-sha, run-lab-tests, update-pr] # Will run on success or failure, but not if the workflow is cancelled. if: ${{ success() || failure() }}