From 7b40f1555b4724c9993479b55970057fe701e167 Mon Sep 17 00:00:00 2001 From: Claas Augner <495429+caugner@users.noreply.github.com> Date: Fri, 7 Feb 2025 11:36:21 +0100 Subject: [PATCH] fix(workflows): assign explicit permissions (#38017) Also documents what they are used for. --- .github/workflows/auto-cleanup-bot.yml | 4 ++++ .github/workflows/auto-merge.yml | 3 +++ .github/workflows/idle-issues.yml | 6 ++++++ .github/workflows/interfacedata-updater.yml | 3 +++ .github/workflows/issue-regex-labeler.yml | 4 ++++ .github/workflows/lock-closed.yml | 8 ++++++++ .github/workflows/markdown-lint.yml | 3 +++ .github/workflows/new-issues.yml | 4 ++++ .github/workflows/ping-other-repos.yml | 4 ++++ .github/workflows/pr-check-lint_content.yml | 1 + .github/workflows/pr-check_cspell_lists.yml | 3 +++ .github/workflows/pr-check_javascript.yml | 3 +++ .github/workflows/pr-check_json.yml | 3 +++ .github/workflows/pr-check_redirects.yml | 3 +++ .github/workflows/pr-check_scripts.yml | 3 +++ .github/workflows/pr-check_url-issues.yml | 3 +++ .github/workflows/pr-check_yml.yml | 3 +++ .github/workflows/pr-labeler.yml | 3 +++ .github/workflows/pr-rebase-needed.yml | 4 ++++ .github/workflows/pr-review-companion.yml | 6 ++++++ .github/workflows/pr-test-legacy.yml | 7 ++++--- .github/workflows/pr-test.yml | 7 ++++--- .github/workflows/spelling-check-bot.yml | 4 ++++ .github/workflows/system-file-changes.yml | 3 +++ 24 files changed, 89 insertions(+), 6 deletions(-) diff --git a/.github/workflows/auto-cleanup-bot.yml b/.github/workflows/auto-cleanup-bot.yml index c3e23c58576680b..254108e43b2a832 100644 --- a/.github/workflows/auto-cleanup-bot.yml +++ b/.github/workflows/auto-cleanup-bot.yml @@ -5,6 +5,10 @@ on: - cron: "0 0 * * *" workflow_dispatch: +# No GITHUB_TOKEN permissions, as we only use it to increase API limit. +# We use AUTOMERGE_TOKEN to create the PR. +permissions: {} + jobs: fix: if: github.repository == 'mdn/content' diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index c0930e006765243..6d24cb5d5abee97 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -3,6 +3,9 @@ name: auto-merge on: pull_request_target: +# No GITHUB_TOKEN permissions, as we use AUTOMERGE_TOKEN instead. +permissions: {} + jobs: auto-merge: runs-on: ubuntu-latest diff --git a/.github/workflows/idle-issues.yml b/.github/workflows/idle-issues.yml index 419eb356d69557d..40c7ceecc327fc2 100644 --- a/.github/workflows/idle-issues.yml +++ b/.github/workflows/idle-issues.yml @@ -3,6 +3,12 @@ on: schedule: - cron: "49 11,23 * * *" +permissions: + # Label issues. + issues: write + # Label pull requests. + pull-requests: write + jobs: idle: uses: mdn/workflows/.github/workflows/idle.yml@main diff --git a/.github/workflows/interfacedata-updater.yml b/.github/workflows/interfacedata-updater.yml index a188d4dcd7bf989..d059ec5edc83037 100644 --- a/.github/workflows/interfacedata-updater.yml +++ b/.github/workflows/interfacedata-updater.yml @@ -6,6 +6,9 @@ on: - cron: "0 0 * * 6" workflow_dispatch: +# No GITHUB_TOKEN permissions, as we use AUTOMERGE_TOKEN instead. +permissions: {} + jobs: update: if: github.repository == 'mdn/content' diff --git a/.github/workflows/issue-regex-labeler.yml b/.github/workflows/issue-regex-labeler.yml index a300a12f776ab69..0790a0d614ee24b 100644 --- a/.github/workflows/issue-regex-labeler.yml +++ b/.github/workflows/issue-regex-labeler.yml @@ -3,6 +3,10 @@ on: issues: types: [opened] +permissions: + # Label issues. + issues: write + jobs: issue-labeler: runs-on: ubuntu-latest diff --git a/.github/workflows/lock-closed.yml b/.github/workflows/lock-closed.yml index 936b01461041521..9fb1f727e80486c 100644 --- a/.github/workflows/lock-closed.yml +++ b/.github/workflows/lock-closed.yml @@ -3,6 +3,14 @@ on: schedule: - cron: "0 9 1 * *" +permissions: + # Lock discussions. + discussions: write + # Lock issues. + issues: write + # Lock pull requests. + pull-requests: write + jobs: lock: uses: mdn/workflows/.github/workflows/lock-closed.yml@main diff --git a/.github/workflows/markdown-lint.yml b/.github/workflows/markdown-lint.yml index 1133c590e81b44b..abc9030366839ca 100644 --- a/.github/workflows/markdown-lint.yml +++ b/.github/workflows/markdown-lint.yml @@ -13,6 +13,9 @@ on: - .github/workflows/markdown-lint.yml - .github/workflows/markdownlint-problem-matcher.json +# No GITHUB_TOKEN permissions, as we only use it to increase API limit. +permissions: {} + jobs: docs: runs-on: ubuntu-latest diff --git a/.github/workflows/new-issues.yml b/.github/workflows/new-issues.yml index 373f82caa792897..c59b9ce1aaba239 100644 --- a/.github/workflows/new-issues.yml +++ b/.github/workflows/new-issues.yml @@ -6,6 +6,10 @@ on: - reopened - opened +permissions: + # Label issues. + issues: write + jobs: label-new-issues: runs-on: ubuntu-latest diff --git a/.github/workflows/ping-other-repos.yml b/.github/workflows/ping-other-repos.yml index a49d93c7fd083cb..33552b5fe8eaf83 100644 --- a/.github/workflows/ping-other-repos.yml +++ b/.github/workflows/ping-other-repos.yml @@ -11,6 +11,10 @@ name: Ping other repos on: push: branches: [main] + +# No GITHUB_TOKEN permissions, as we use REPO_PINGER_MDN_SPEC_LINKS. +permissions: {} + jobs: ping: # Don't run in forks, or when Dependabot merges a PR. diff --git a/.github/workflows/pr-check-lint_content.yml b/.github/workflows/pr-check-lint_content.yml index 12a3a039a97efdd..6e33e714d286d18 100644 --- a/.github/workflows/pr-check-lint_content.yml +++ b/.github/workflows/pr-check-lint_content.yml @@ -10,6 +10,7 @@ on: - "files/**/*.md" permissions: + # Compare commits and add reviewdog comments. pull-requests: write concurrency: diff --git a/.github/workflows/pr-check_cspell_lists.yml b/.github/workflows/pr-check_cspell_lists.yml index eb3139a842d4953..ec9f40d2d913f3c 100644 --- a/.github/workflows/pr-check_cspell_lists.yml +++ b/.github/workflows/pr-check_cspell_lists.yml @@ -7,6 +7,9 @@ on: paths: - .vscode/dictionaries/* +# No GITHUB_TOKEN permissions, as we don't use it. +permissions: {} + jobs: docs: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-check_javascript.yml b/.github/workflows/pr-check_javascript.yml index 336dd8e3bda6090..cfb477c123a4540 100644 --- a/.github/workflows/pr-check_javascript.yml +++ b/.github/workflows/pr-check_javascript.yml @@ -10,6 +10,9 @@ on: - "**/*.mjs" - .github/workflows/pr-check_javascript.yml +# No GITHUB_TOKEN permissions, as we only use it to increase API limit. +permissions: {} + jobs: lint-js: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-check_json.yml b/.github/workflows/pr-check_json.yml index 638be2b97b5ad8c..a2bb981f97bec2e 100644 --- a/.github/workflows/pr-check_json.yml +++ b/.github/workflows/pr-check_json.yml @@ -10,6 +10,9 @@ on: - "**/*.jsonc" - .github/workflows/pr-check_json.yml +# No GITHUB_TOKEN permissions, as we only use it to increase API limit. +permissions: {} + jobs: lint-json: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-check_redirects.yml b/.github/workflows/pr-check_redirects.yml index 249647923a93c4a..a575ffc16be63b3 100644 --- a/.github/workflows/pr-check_redirects.yml +++ b/.github/workflows/pr-check_redirects.yml @@ -5,6 +5,9 @@ on: branches: - main +# No GITHUB_TOKEN permissions, as we only use it to increase API limit. +permissions: {} + jobs: check-redirects: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-check_scripts.yml b/.github/workflows/pr-check_scripts.yml index a5b55c8d6f8d8b2..a475212217ff236 100644 --- a/.github/workflows/pr-check_scripts.yml +++ b/.github/workflows/pr-check_scripts.yml @@ -10,6 +10,9 @@ on: - yarn.lock - .github/workflows/pr-check_scripts.yml +# No GITHUB_TOKEN permissions, as we only use it to increase API limit. +permissions: {} + jobs: up-to-date-check: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-check_url-issues.yml b/.github/workflows/pr-check_url-issues.yml index 96398ea0f37e6b5..bff1bf2350fa13a 100644 --- a/.github/workflows/pr-check_url-issues.yml +++ b/.github/workflows/pr-check_url-issues.yml @@ -7,6 +7,9 @@ on: paths: - "files/**/*.md" +# No GITHUB_TOKEN permissions, as we don't use it. +permissions: {} + jobs: check_url_issues: #if: github.repository == 'mdn/content' diff --git a/.github/workflows/pr-check_yml.yml b/.github/workflows/pr-check_yml.yml index 4cf949dd7daddf0..4b7789a519a4617 100644 --- a/.github/workflows/pr-check_yml.yml +++ b/.github/workflows/pr-check_yml.yml @@ -10,6 +10,9 @@ on: - "**/*.yml" - .github/workflows/pr-check_yml.yml +# No GITHUB_TOKEN permissions, as we only use it to increase API limit. +permissions: {} + jobs: lint-yml: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml index 342e1d366095189..feee402d349463c 100644 --- a/.github/workflows/pr-labeler.yml +++ b/.github/workflows/pr-labeler.yml @@ -4,8 +4,11 @@ on: - pull_request_target permissions: + # Patch issues, see: https://github.com/CodelyTV/pr-size-labeler/pull/89 issues: write + # Label pull requests. pull-requests: write + # Fetch files (used by actions/labeler to get config). contents: read jobs: diff --git a/.github/workflows/pr-rebase-needed.yml b/.github/workflows/pr-rebase-needed.yml index 9cd362fdac42979..f44a7383c97f203 100644 --- a/.github/workflows/pr-rebase-needed.yml +++ b/.github/workflows/pr-rebase-needed.yml @@ -5,6 +5,10 @@ on: pull_request_target: types: [synchronize] +permissions: + # Label pull requests. + pull-requests: write + jobs: label-rebase-needed: uses: mdn/workflows/.github/workflows/pr-rebase-needed.yml@main diff --git a/.github/workflows/pr-review-companion.yml b/.github/workflows/pr-review-companion.yml index 13b3122ee88106d..978b0a922196767 100644 --- a/.github/workflows/pr-review-companion.yml +++ b/.github/workflows/pr-review-companion.yml @@ -11,6 +11,12 @@ on: types: - completed +permissions: + # Download artifact. + actions: read + # Post comment in pull request. + pull-requests: write + jobs: review: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-test-legacy.yml b/.github/workflows/pr-test-legacy.yml index e390e19231b95bc..c3b5718c93b5309 100644 --- a/.github/workflows/pr-test-legacy.yml +++ b/.github/workflows/pr-test-legacy.yml @@ -11,13 +11,14 @@ on: branches: - main +permissions: + # Compare two commits. + contents: read + jobs: tests: if: github.repository == 'mdn/content' runs-on: ubuntu-latest - # Set the permissions to `read-all`, preventing the workflow from - # any accidental write access to the repository. - permissions: read-all env: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index b6b679099dff360..c4082cc0a483e00 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -11,13 +11,14 @@ on: branches: - main +permissions: + # Compare two commits. + contents: read + jobs: tests: if: github.repository == 'mdn/content' runs-on: ubuntu-latest - # Set the permissions to `read-all`, preventing the workflow from - # any accidental write access to the repository. - permissions: read-all env: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/spelling-check-bot.yml b/.github/workflows/spelling-check-bot.yml index 6869ba085cfeee5..bdf920c38098f91 100644 --- a/.github/workflows/spelling-check-bot.yml +++ b/.github/workflows/spelling-check-bot.yml @@ -5,6 +5,10 @@ on: - cron: "0 0 * * mon" workflow_dispatch: +permissions: + # Create issue. + issues: write + jobs: sync: if: github.repository == 'mdn/content' diff --git a/.github/workflows/system-file-changes.yml b/.github/workflows/system-file-changes.yml index 89fd2c59dcb5423..b3b3dbbde3fde46 100644 --- a/.github/workflows/system-file-changes.yml +++ b/.github/workflows/system-file-changes.yml @@ -10,6 +10,9 @@ on: - package.json - yarn.lock +# No GITHUB_TOKEN permissions, as we don't use it. +permissions: {} + jobs: block: # This makes sure it only runs on our origin repo