ci: Update workflow permissions (#7731)

Now that default permissions are read-only, we must enable specific permissions for certain workflow jobs. This fixes every job except "update screenshots", which has unresolved permissions issues.
shaka-project · Dec 12, 2024 · 4fa236e · 4fa236e
1 parent 2501095
commit 4fa236e
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/.github/workflows/deflake.yaml b/.github/workflows/deflake.yaml
@@ -16,6 +16,10 @@ jobs:
     if: ${{ github.event.workflow_run.conclusion == 'failure' }}
     runs-on: ubuntu-latest
 
+    permissions:
+      # "Write" to Actions to enable rerun command.
+      actions: write
+
     steps:
       - name: Check run count and re-run workflow
         env:

diff --git a/.github/workflows/selenium-lab-tests.yaml b/.github/workflows/selenium-lab-tests.yaml
@@ -145,6 +145,11 @@ jobs:
     name: Pre-build Player
     needs: compute-sha
     runs-on: ubuntu-latest
+
+    permissions:
+      # "Write" to statuses to update commit status
+      statuses: write
+
     steps:
       - uses: actions/checkout@v4
         with:
@@ -209,6 +214,10 @@ jobs:
     # lab's Selenium grid on port 4444.
     runs-on: self-hosted-selenium
 
+    permissions:
+      # "Write" to statuses to update commit status
+      statuses: write
+
     # Only one run of this job is allowed at a time, since it uses physical
     # resources in our lab.
     concurrency:

diff --git a/.github/workflows/update-issues.yaml b/.github/workflows/update-issues.yaml
@@ -8,10 +8,6 @@ on:
     # Run every 30 minutes
     - cron: '*/30 * * * *'
 
-permissions:
-  issues: write
-  pull-requests: write
-
 jobs:
   update-issues:
     runs-on: ubuntu-latest