From e516c9cda9eb9ea05c64de06d7551627af7ac79c Mon Sep 17 00:00:00 2001 From: Joey Parrish Date: Mon, 9 Dec 2024 14:28:32 -0800 Subject: [PATCH] fix: Set explicit permissions in shared workflows --- set-commit-status/README.md | 10 ++++++++++ sync-labels/sync-labels.yaml | 5 +++++ update-issues/update-issues.yaml | 7 +++++++ 3 files changed, 22 insertions(+) diff --git a/set-commit-status/README.md b/set-commit-status/README.md index 9d46e3d..5fc2325 100644 --- a/set-commit-status/README.md +++ b/set-commit-status/README.md @@ -6,6 +6,11 @@ from workflows with non-PR triggers (such as manually-triggered workflows). To use this in a step, write something like: ```yaml + permissions: + # "Write" to statuses to update commit status + statuses: write + + steps: - name: Report final commit status # Will run on success or failure, but not if the workflow is cancelled # or if we were asked to ignore the test status. @@ -17,3 +22,8 @@ To use this in a step, write something like: state: ${{ job.status }} token: ${{ secrets.GITHUB_TOKEN }} ``` + +## Permissions + +A GitHub-generated token requires "write" permission to "statuses" to be able to +set the commit status. diff --git a/sync-labels/sync-labels.yaml b/sync-labels/sync-labels.yaml index 0b679ea..ac1b6ca 100644 --- a/sync-labels/sync-labels.yaml +++ b/sync-labels/sync-labels.yaml @@ -16,6 +16,11 @@ on: jobs: sync-labels: runs-on: ubuntu-latest + + permissions: + # "Write" to Issues to manage labels for the repo + issues: write + steps: - name: Checkout code uses: actions/checkout@v4 diff --git a/update-issues/update-issues.yaml b/update-issues/update-issues.yaml index 6424ce1..0973aab 100644 --- a/update-issues/update-issues.yaml +++ b/update-issues/update-issues.yaml @@ -15,6 +15,13 @@ permissions: jobs: update-issues: runs-on: ubuntu-latest + + permissions: + # "Write" to Issues to add labels, milestones, comments, etc. + issues: write + # "Write" to Pull Requests for the same. + pull-requests: write + steps: - name: Checkout code uses: actions/checkout@v4