From 2fa0879360127f793c6a4972e6989627257326cf Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Thu, 23 Jan 2025 22:44:53 +0200 Subject: [PATCH 1/3] t --- .github/workflows/build-image-test.yaml | 2 +- .github/workflows/build-image.yaml | 4 ++-- .github/workflows/ci-cd.yml | 2 +- .github/workflows/pr-title.yml | 3 +++ .github/workflows/pre-commit.yaml | 4 ++++ .github/workflows/release.yml | 4 ++++ .github/workflows/scheduled-runs.yml | 3 +++ .github/workflows/stale-actions.yaml | 5 +++++ 8 files changed, 23 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index 37724cfd6..3a48db2e8 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -8,7 +8,7 @@ env: IMAGE_TAG: pr-test permissions: - contents: read + contents: read # To read Dockerfile and codebase jobs: build: diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 68dc23d70..8dd0e837e 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -11,8 +11,8 @@ on: - cron: 00 00 * * * permissions: - contents: read - packages: write + contents: read # To read Dockerfile and codebase + packages: write # To publish container image jobs: docker: diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index b5f4b0b0f..ad2e7ff7e 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -17,7 +17,7 @@ on: workflow_call: # a way to embed the main tests permissions: - contents: read + contents: none #???? To read codebase concurrency: group: >- diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index b9c032372..8b1fbfd53 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -9,6 +9,9 @@ on: - edited - synchronize +permissions: + pull-requests: read # To read the PR title + jobs: main: name: Validate PR title diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index 3e92524dd..aa10868b0 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -4,6 +4,10 @@ name: Common issues check on: [pull_request] +permissions: + contents: write # Backpush pre-commit fixes + + jobs: pre-commit: runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 307dc0615..67be1e7f8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,10 @@ on: - .pre-commit-hooks.yaml # Ignore paths - '!tests/**' + +permissions: + contents: write # To create releases + jobs: release: name: Release diff --git a/.github/workflows/scheduled-runs.yml b/.github/workflows/scheduled-runs.yml index 9d8403cf2..e6a69de02 100644 --- a/.github/workflows/scheduled-runs.yml +++ b/.github/workflows/scheduled-runs.yml @@ -10,6 +10,9 @@ on: - cron: 3 5 * * * # run daily at 5:03 UTC workflow_dispatch: # manual trigger +permissions: + contents: read # To read codebase + run-name: >- 🌃 Nightly run of diff --git a/.github/workflows/stale-actions.yaml b/.github/workflows/stale-actions.yaml index eefcd8b16..e038cb810 100644 --- a/.github/workflows/stale-actions.yaml +++ b/.github/workflows/stale-actions.yaml @@ -5,6 +5,11 @@ on: schedule: - cron: 0 0 * * * +permissions: + contents: write # To delete branches. + issues: write # To mark and close stale issues. + pull-requests: write # To mark and close stale pull requests. + jobs: stale: runs-on: ubuntu-latest From 9ab1e7aacf10fb3c4321a9279bdbb5455b9490a2 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Thu, 23 Jan 2025 22:52:53 +0200 Subject: [PATCH 2/3] t --- .github/workflows/build-image-test.yaml | 3 ++- .github/workflows/build-image.yaml | 6 ++++-- .github/workflows/ci-cd.yml | 3 ++- .github/workflows/pr-title.yml | 3 ++- .github/workflows/pre-commit.yaml | 3 ++- .github/workflows/release.yml | 3 ++- .github/workflows/scheduled-runs.yml | 3 ++- .github/workflows/stale-actions.yaml | 7 ++++--- 8 files changed, 20 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index 3a48db2e8..aca2a6a31 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -8,7 +8,8 @@ env: IMAGE_TAG: pr-test permissions: - contents: read # To read Dockerfile and codebase + contents: none + # contents: read # To read Dockerfile and codebase jobs: build: diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 8dd0e837e..a40bd0aa3 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -9,10 +9,12 @@ on: - created schedule: - cron: 00 00 * * * + push: permissions: - contents: read # To read Dockerfile and codebase - packages: write # To publish container image + contents: none + # contents: read # To read Dockerfile and codebase + # packages: write # To publish container image jobs: docker: diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index ad2e7ff7e..7b115c0bd 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -17,7 +17,8 @@ on: workflow_call: # a way to embed the main tests permissions: - contents: none #???? To read codebase + contents: none + # contents: read # To read codebase concurrency: group: >- diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 8b1fbfd53..0d0a5ba92 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -10,7 +10,8 @@ on: - synchronize permissions: - pull-requests: read # To read the PR title + contents: none + # pull-requests: read # To read the PR title jobs: main: diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index aa10868b0..202009fa0 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -5,7 +5,8 @@ name: Common issues check on: [pull_request] permissions: - contents: write # Backpush pre-commit fixes + contents: none + # contents: write # Backpush pre-commit fixes jobs: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 67be1e7f8..8769bca77 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,8 @@ on: - '!tests/**' permissions: - contents: write # To create releases + contents: none + # contents: write # To create releases jobs: release: diff --git a/.github/workflows/scheduled-runs.yml b/.github/workflows/scheduled-runs.yml index e6a69de02..0ba3970a3 100644 --- a/.github/workflows/scheduled-runs.yml +++ b/.github/workflows/scheduled-runs.yml @@ -11,7 +11,8 @@ on: workflow_dispatch: # manual trigger permissions: - contents: read # To read codebase + contents: none + # contents: read # To read codebase run-name: >- 🌃 diff --git a/.github/workflows/stale-actions.yaml b/.github/workflows/stale-actions.yaml index e038cb810..493ce9e46 100644 --- a/.github/workflows/stale-actions.yaml +++ b/.github/workflows/stale-actions.yaml @@ -6,9 +6,10 @@ on: - cron: 0 0 * * * permissions: - contents: write # To delete branches. - issues: write # To mark and close stale issues. - pull-requests: write # To mark and close stale pull requests. + contents: none + # contents: write # To delete branches. + # issues: write # To mark and close stale issues. + # pull-requests: write # To mark and close stale pull requests. jobs: stale: From e7b0b63573bb9f51c13227bd57a76d6197ec1e7d Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Thu, 23 Jan 2025 23:03:03 +0200 Subject: [PATCH 3/3] Just to make it run at least somehow --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8769bca77..ce08c9f75 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,4 +39,4 @@ jobs: @semantic-release/changelog@6.0.0 @semantic-release/git@10.0.0 env: - GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}