From 245c20e78704af8f3b29a8c43d4906c5c29e3775 Mon Sep 17 00:00:00 2001 From: Joey Parrish Date: Mon, 9 Dec 2024 14:21:31 -0800 Subject: [PATCH] ci: Update workflow permissions Now that default permissions are read-only, we must enable specific permissions for certain workflow jobs. --- .github/workflows/deflake.yaml | 4 ++++ .github/workflows/selenium-lab-tests.yaml | 9 +++++++++ .github/workflows/update-issues.yaml | 4 ---- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deflake.yaml b/.github/workflows/deflake.yaml index 9f60b0c964..235dacd6da 100644 --- a/.github/workflows/deflake.yaml +++ b/.github/workflows/deflake.yaml @@ -16,6 +16,10 @@ jobs: if: ${{ github.event.workflow_run.conclusion == 'failure' }} runs-on: ubuntu-latest + permissions: + # "Write" to Actions to enable rerun command. + actions: write + steps: - name: Check run count and re-run workflow env: diff --git a/.github/workflows/selenium-lab-tests.yaml b/.github/workflows/selenium-lab-tests.yaml index 56bf6d9b3e..5ffc9aff6c 100644 --- a/.github/workflows/selenium-lab-tests.yaml +++ b/.github/workflows/selenium-lab-tests.yaml @@ -145,6 +145,11 @@ jobs: name: Pre-build Player needs: compute-sha runs-on: ubuntu-latest + + permissions: + # "Write" to statuses to update commit status + statuses: write + steps: - uses: actions/checkout@v4 with: @@ -209,6 +214,10 @@ jobs: # lab's Selenium grid on port 4444. runs-on: self-hosted-selenium + permissions: + # "Write" to statuses to update commit status + statuses: write + # Only one run of this job is allowed at a time, since it uses physical # resources in our lab. concurrency: diff --git a/.github/workflows/update-issues.yaml b/.github/workflows/update-issues.yaml index 0973aab532..29b6984a65 100644 --- a/.github/workflows/update-issues.yaml +++ b/.github/workflows/update-issues.yaml @@ -8,10 +8,6 @@ on: # Run every 30 minutes - cron: '*/30 * * * *' -permissions: - issues: write - pull-requests: write - jobs: update-issues: runs-on: ubuntu-latest