From a7957a2edde35ab68252c0ac570648e363b690bb Mon Sep 17 00:00:00 2001 From: George Adams Date: Mon, 5 Aug 2024 13:07:44 +0100 Subject: [PATCH] fixup token permissions (#621) --- .github/workflows/auto-merge.yml | 7 ++++--- .github/workflows/code-freeze.yml | 7 ++++--- .github/workflows/dependabot-auto-merge.yml | 7 ++++--- .github/workflows/test-pr.yml | 2 ++ .github/workflows/updater.yml | 2 ++ 5 files changed, 16 insertions(+), 9 deletions(-) diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 460e23188..fc7453a6d 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -4,12 +4,13 @@ on: pull_request: types: [labeled] -permissions: - contents: write - pull-requests: write +permissions: read-all jobs: automerge: + permissions: + contents: write + pull-requests: write uses: adoptium/.github/.github/workflows/pr-auto-merge.yml@main with: allowed-author: eclipse-temurin-bot diff --git a/.github/workflows/code-freeze.yml b/.github/workflows/code-freeze.yml index 884b178bc..f14e3ad89 100644 --- a/.github/workflows/code-freeze.yml +++ b/.github/workflows/code-freeze.yml @@ -19,13 +19,14 @@ on: issue_comment: types: [created] -permissions: - contents: write - pull-requests: write +permissions: read-all jobs: # Check if the pull request target branch matches the required branch-regex? codefreeze_branch_check: + permissions: + contents: write + pull-requests: write uses: adoptium/.github/.github/workflows/code-freeze-regex-branch.yml@main with: branch-regex: "^main$" diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index be789c6c5..2f75be406 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -1,10 +1,11 @@ name: Dependabot auto-merge on: pull_request_target -permissions: - contents: write - pull-requests: write +permissions: read-all jobs: dependabot: + permissions: + contents: write + pull-requests: write uses: adoptium/.github/.github/workflows/dependabot-auto-merge.yml@main diff --git a/.github/workflows/test-pr.yml b/.github/workflows/test-pr.yml index cd75aa12f..694a5d44f 100644 --- a/.github/workflows/test-pr.yml +++ b/.github/workflows/test-pr.yml @@ -11,6 +11,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: read-all + jobs: generate-jobs: name: Generate Jobs diff --git a/.github/workflows/updater.yml b/.github/workflows/updater.yml index d6ee6308c..d7c04a3b9 100644 --- a/.github/workflows/updater.yml +++ b/.github/workflows/updater.yml @@ -5,6 +5,8 @@ on: # Runs every half hour - cron: "*/30 * * * *" +permissions: read-all + jobs: update_dockerfile: permissions: