Merge pull request #3086 from cisagov/ms/2999-update-workflow-permiss…

…ions #3003: remove monitor and add specific permissions
cisagov · Nov 15, 2024 · 08ad55a · 08ad55a
2 parents a872893 + 116877b
commit 08ad55a
Show file tree

Hide file tree

Showing 10 changed files with 4 additions and 12 deletions.
diff --git a/.github/workflows/clone-db.yaml b/.github/workflows/clone-db.yaml
@@ -27,7 +27,6 @@ jobs:
       CF_USERNAME: ${{ secrets.CF_STAGING_USERNAME }}
       CF_PASSWORD: ${{ secrets.CF_STAGING_PASSWORD }}
     steps:
-        - uses: GitHubSecurityLab/actions-permissions/monitor@v1
         - name: Clone Database
           run: |
             # install cf cli and other tools

diff --git a/.github/workflows/createcachetable.yaml b/.github/workflows/createcachetable.yaml
@@ -37,7 +37,6 @@ jobs:
       CF_USERNAME: CF_${{ github.event.inputs.environment }}_USERNAME
       CF_PASSWORD: CF_${{ github.event.inputs.environment }}_PASSWORD
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Create cache table for ${{ github.event.inputs.environment }}
         uses: cloud-gov/cg-cli-tools@main
         with:

diff --git a/.github/workflows/daily-csv-upload.yaml b/.github/workflows/daily-csv-upload.yaml
@@ -13,7 +13,6 @@ jobs:
       CF_USERNAME: CF_${{ secrets.CF_REPORT_ENV }}_USERNAME
       CF_PASSWORD: CF_${{ secrets.CF_REPORT_ENV }}_PASSWORD
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Generate current-federal.csv
         uses: cloud-gov/cg-cli-tools@main
         with:

diff --git a/.github/workflows/deploy-manual.yaml b/.github/workflows/deploy-manual.yaml
@@ -44,7 +44,6 @@ jobs:
   variables:
     runs-on: ubuntu-latest
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Setting global variables
         uses: actions/github-script@v6
         id: var

diff --git a/.github/workflows/deploy-sandbox.yaml b/.github/workflows/deploy-sandbox.yaml
@@ -35,7 +35,6 @@ jobs:
       environment: ${{ steps.var.outputs.environment}}
     runs-on: "ubuntu-latest"
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Setting global variables
         uses: actions/github-script@v6
         id: var
@@ -72,6 +71,8 @@ jobs:
   comment:
     runs-on: ubuntu-latest
     needs: [variables, deploy]
+    permissions:
+      issues: write
     steps:
       - uses: actions/github-script@v6
         env:

diff --git a/.github/workflows/issue-label-notifier.yaml b/.github/workflows/issue-label-notifier.yaml
@@ -9,8 +9,9 @@ on:
 jobs:
   notify:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: jenschelkopf/[email protected]
         with:
           recipients: |

diff --git a/.github/workflows/migrate.yaml b/.github/workflows/migrate.yaml
@@ -45,7 +45,6 @@ jobs:
       CF_USERNAME: CF_${{ github.event.inputs.environment }}_USERNAME
       CF_PASSWORD: CF_${{ github.event.inputs.environment }}_PASSWORD
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Run Django migrations for ${{ github.event.inputs.environment }}
         uses: cloud-gov/cg-cli-tools@main
         with:

diff --git a/.github/workflows/reset-db.yaml b/.github/workflows/reset-db.yaml
@@ -45,7 +45,6 @@ jobs:
       CF_USERNAME: CF_${{ github.event.inputs.environment }}_USERNAME
       CF_PASSWORD: CF_${{ github.event.inputs.environment }}_PASSWORD
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Delete existing data for ${{ github.event.inputs.environment }}
         uses: cloud-gov/cg-cli-tools@main
         with:

diff --git a/.github/workflows/security-check.yaml b/.github/workflows/security-check.yaml
@@ -54,7 +54,6 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Check out
         uses: actions/checkout@v3
       - name: MockUserLogin should not be in settings.MIDDLEWARE

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -21,7 +21,6 @@ jobs:
   python-linting:
     runs-on: ubuntu-latest
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v3
 
       - name: Linting
@@ -33,7 +32,6 @@ jobs:
   python-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v3
 
       - name: Unit tests
@@ -43,7 +41,6 @@ jobs:
   django-migrations-complete:
     runs-on: ubuntu-latest
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v3
 
       - name: Check for complete migrations