ci: Explicit permissions on actions (#1155)

doublethink · web-flow · commit 81f94009ddce · 2025-04-11T09:18:13.000+09:00
ci: explicit permissions on actions
revoke pull_request_target
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   coverage:
     name: Generate Combined Coverage
diff --git a/.github/workflows/functions_client.yml b/.github/workflows/functions_client.yml
@@ -15,6 +15,9 @@ on:
       - '.github/workflows/functions_client.yml'
       - 'packages/yet_another_json_isolate/**'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test SDK ${{ matrix.sdk }}
diff --git a/.github/workflows/gotrue.yml b/.github/workflows/gotrue.yml
@@ -13,6 +13,9 @@ on:
       - 'packages/gotrue/**'
       - '.github/workflows/gotrue.yml'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test SDK ${{ matrix.sdk }}
diff --git a/.github/workflows/postgrest.yml b/.github/workflows/postgrest.yml
@@ -15,6 +15,9 @@ on:
       - '.github/workflows/postgrest.yml'
       - 'packages/yet_another_json_isolate/**'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test SDK ${{ matrix.sdk }}
diff --git a/.github/workflows/realtime_client.yml b/.github/workflows/realtime_client.yml
@@ -13,6 +13,9 @@ on:
       - 'packages/realtime_client/**'
       - '.github/workflows/realtime_client.yml'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test SDK ${{ matrix.sdk }}
diff --git a/.github/workflows/storage_client.yml b/.github/workflows/storage_client.yml
@@ -12,6 +12,9 @@ on:
       - 'packages/storage_client/**'
       - '.github/workflows/storage_client.yml'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test SDK ${{ matrix.sdk }}
diff --git a/.github/workflows/supabase.yml b/.github/workflows/supabase.yml
@@ -23,6 +23,9 @@ on:
       - 'packages/realtime_client/**'
       - 'packages/storage_client/**'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test SDK ${{ matrix.sdk }}
diff --git a/.github/workflows/supabase_flutter.yml b/.github/workflows/supabase_flutter.yml
@@ -27,6 +27,9 @@ on:
       - 'packages/supabase/**'
       - 'packages/yet_another_json_isolate/**'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test Flutter v${{ matrix.flutter-version }}
diff --git a/.github/workflows/title-validation.yml b/.github/workflows/title-validation.yml
@@ -2,12 +2,16 @@
 name: 'PR Title is Conventional'
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - edited
       - synchronize
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   main:
     name: Validate PR title
diff --git a/.github/workflows/yet_another_json_isolate.yml b/.github/workflows/yet_another_json_isolate.yml
@@ -13,6 +13,9 @@ on:
       - 'packages/yet_another_json_isolate/**'
       - '.github/workflows/yet_another_json_isolate.yml'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test SDK ${{ matrix.sdk }}
