From a88d715727ab530c152c1511a01e2e26fb6976b6 Mon Sep 17 00:00:00 2001 From: erezrokah Date: Mon, 29 Sep 2025 14:46:58 +0100 Subject: [PATCH 1/3] chore: Add permissions to all workflows --- .github/workflows/ci.yml | 22 ++++++++++++---------- .github/workflows/pr_title.yml | 3 +++ .github/workflows/publish.yml | 3 +++ .github/workflows/release_pr.yml | 3 +++ 4 files changed, 21 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 23f10ef..a80f75e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,6 +8,9 @@ on: branches: - main +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -15,8 +18,8 @@ jobs: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: - node-version: '20' - cache: 'npm' + node-version: "20" + cache: "npm" - name: Install dependencies run: npm ci @@ -31,14 +34,13 @@ jobs: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: - node-version: '20' - cache: 'npm' + node-version: "20" + cache: "npm" - name: Install dependencies run: npm ci - - - # Required for the package command tests to work + - # Required for the package command tests to work name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -52,8 +54,8 @@ jobs: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: - node-version: '20' - cache: 'npm' + node-version: "20" + cache: "npm" - name: Install dependencies run: npm ci @@ -68,8 +70,8 @@ jobs: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: - node-version: '20' - cache: 'npm' + node-version: "20" + cache: "npm" - name: Install dependencies run: npm ci diff --git a/.github/workflows/pr_title.yml b/.github/workflows/pr_title.yml index c7c8e47..b234002 100644 --- a/.github/workflows/pr_title.yml +++ b/.github/workflows/pr_title.yml @@ -7,6 +7,9 @@ on: - edited - synchronize +permissions: + contents: read + jobs: main: name: Validate PR title diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 67626b9..cae87d0 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,6 +4,9 @@ on: tags: - "v*.*.*" +permissions: + contents: read + jobs: publish: name: Publish to npm diff --git a/.github/workflows/release_pr.yml b/.github/workflows/release_pr.yml index ddb8a6b..524d22a 100644 --- a/.github/workflows/release_pr.yml +++ b/.github/workflows/release_pr.yml @@ -4,6 +4,9 @@ on: branches: - main +permissions: + contents: read + jobs: release-please: runs-on: ubuntu-latest From 9b9f771cb90570a103df4e59d309b513b049120d Mon Sep 17 00:00:00 2001 From: Erez Rokah Date: Mon, 29 Sep 2025 14:47:51 +0100 Subject: [PATCH 2/3] Update pr_title.yml --- .github/workflows/pr_title.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr_title.yml b/.github/workflows/pr_title.yml index b234002..596a286 100644 --- a/.github/workflows/pr_title.yml +++ b/.github/workflows/pr_title.yml @@ -8,7 +8,7 @@ on: - synchronize permissions: - contents: read + pull-requests: write jobs: main: @@ -44,7 +44,7 @@ jobs: # special "[WIP]" prefix to indicate this state. This will avoid the # validation of the PR title and the pull request checks remain pending. # Note that a second check will be reported if this is enabled. - wip: true + wip: false # When using "Squash and merge" on a PR with only one commit, GitHub # will suggest using that commit message instead of the PR title for the # merge commit, and it's easy to commit this by mistake. Enable this option From c6f11ce43fc2f8c1b0e226b2a431af5096352013 Mon Sep 17 00:00:00 2001 From: Erez Rokah Date: Mon, 29 Sep 2025 14:50:29 +0100 Subject: [PATCH 3/3] Update pr_title.yml --- .github/workflows/pr_title.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr_title.yml b/.github/workflows/pr_title.yml index 3fc73cd..fb72636 100644 --- a/.github/workflows/pr_title.yml +++ b/.github/workflows/pr_title.yml @@ -8,7 +8,7 @@ on: - synchronize permissions: - pull-requests: write + pull-requests: read jobs: main: