Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.head_ref }}
cancel-in-progress: true

permissions:
contents: read

jobs:
ci:
name: 🧪 Test & lint
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/initiate_release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:
type: string
pattern: "^[0-9]+\\.[0-9]+\\.[0-9]+$"

permissions:
contents: write
pull-requests: write

jobs:
init_release:
name: 🚀 Create release PR
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ on:
branches:
- main

permissions:
contents: read
pull-requests: read
Comment on lines +10 to +11

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Create release on GitHub step uses ncipollo/release-action@v1, which needs contents: write to create the release and its tag (per the action's README). With contents: read this step will fail with 403 on the next release, and CodeQL still closes the alert since a block exists, so the break only surfaces at release time. pull-requests is unused here (the PR ref is read from the event payload, not the API), so drop it.

Suggested change
contents: read
pull-requests: read
contents: write


jobs:
Release:
name: 🚀 Release
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/scheduled_test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ on:
# Monday at 9:00 UTC
- cron: "0 9 * * 1"

permissions:
contents: read
pull-requests: write

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow runs on schedule/workflow_dispatch and never touches the PR API (the Slack step uses a bot token). pull-requests: write is unused, so it can be dropped, leaving only contents: read.

Suggested change
pull-requests: write


jobs:
test:
environment: ci
Expand Down
Loading