From ad593ae56593f4568c7b46447455a392ba8db2ed Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Tue, 10 May 2022 19:55:02 -0700 Subject: [PATCH 01/12] ci: add GitHub token permissions --- .github/workflows/browserstack.yml | 3 +++ .github/workflows/bundlewatch.yml | 3 +++ .github/workflows/cspell.yml | 6 ++++++ .github/workflows/css.yml | 3 +++ .github/workflows/docs.yml | 3 +++ .github/workflows/issue-close-require.yml | 6 ++++++ .github/workflows/issue-labeled.yml | 6 ++++++ .github/workflows/js.yml | 6 ++++++ .github/workflows/lint.yml | 3 +++ .github/workflows/node-sass.yml | 3 +++ .github/workflows/release-notes.yml | 6 ++++++ 11 files changed, 48 insertions(+) diff --git a/.github/workflows/browserstack.yml b/.github/workflows/browserstack.yml index 425c5668449a..fd06d74739f5 100644 --- a/.github/workflows/browserstack.yml +++ b/.github/workflows/browserstack.yml @@ -8,6 +8,9 @@ env: FORCE_COLOR: 2 NODE: 16 +permissions: + contents: read + jobs: browserstack: runs-on: ubuntu-latest diff --git a/.github/workflows/bundlewatch.yml b/.github/workflows/bundlewatch.yml index d1a174784d27..7a42ac415ffe 100644 --- a/.github/workflows/bundlewatch.yml +++ b/.github/workflows/bundlewatch.yml @@ -11,6 +11,9 @@ env: FORCE_COLOR: 2 NODE: 16 +permissions: + contents: read + jobs: bundlewatch: runs-on: ubuntu-latest diff --git a/.github/workflows/cspell.yml b/.github/workflows/cspell.yml index 7fd988dbb2be..f08d30f9a0e6 100644 --- a/.github/workflows/cspell.yml +++ b/.github/workflows/cspell.yml @@ -11,8 +11,14 @@ env: FORCE_COLOR: 2 NODE: 16 +permissions: + contents: read + jobs: cspell: + permissions: + contents: read # for streetsidesoftware/cspell-action to fetch files for commit + pull-requests: read # for streetsidesoftware/cspell-action to fetch commits for PR runs-on: ubuntu-latest steps: diff --git a/.github/workflows/css.yml b/.github/workflows/css.yml index 857a5672cb35..8db0e3ee07b2 100644 --- a/.github/workflows/css.yml +++ b/.github/workflows/css.yml @@ -11,6 +11,9 @@ env: FORCE_COLOR: 2 NODE: 16 +permissions: + contents: read + jobs: css: runs-on: ubuntu-latest diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index f33413eb4b93..e248fb433c00 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -11,6 +11,9 @@ env: FORCE_COLOR: 2 NODE: 16 +permissions: + contents: read + jobs: docs: runs-on: ubuntu-latest diff --git a/.github/workflows/issue-close-require.yml b/.github/workflows/issue-close-require.yml index b251cd75ee0d..0c30692a81d7 100644 --- a/.github/workflows/issue-close-require.yml +++ b/.github/workflows/issue-close-require.yml @@ -4,8 +4,14 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: issue-close-require: + permissions: + issues: write # for actions-cool/issues-helper to update issues + pull-requests: write # for actions-cool/issues-helper to update PRs runs-on: ubuntu-latest if: github.repository == 'twbs/bootstrap' steps: diff --git a/.github/workflows/issue-labeled.yml b/.github/workflows/issue-labeled.yml index 74c194679f43..b5ab6d0a32d7 100644 --- a/.github/workflows/issue-labeled.yml +++ b/.github/workflows/issue-labeled.yml @@ -4,8 +4,14 @@ on: issues: types: [labeled] +permissions: + contents: read + jobs: issue-labeled: + permissions: + issues: write # for actions-cool/issues-helper to update issues + pull-requests: write # for actions-cool/issues-helper to update PRs if: github.repository == 'twbs/bootstrap' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml index 82616c5743dd..60a2f1603b68 100644 --- a/.github/workflows/js.yml +++ b/.github/workflows/js.yml @@ -11,8 +11,14 @@ env: FORCE_COLOR: 2 NODE: 16 +permissions: + contents: read + jobs: run: + permissions: + checks: write # for coverallsapp/github-action to create new checks + contents: read # for actions/checkout to fetch code name: JS Tests runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 816694ec2864..c9c156d66e0e 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -11,6 +11,9 @@ env: FORCE_COLOR: 2 NODE: 16 +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/node-sass.yml b/.github/workflows/node-sass.yml index 465cee48501d..a303e71acc9f 100644 --- a/.github/workflows/node-sass.yml +++ b/.github/workflows/node-sass.yml @@ -11,6 +11,9 @@ env: FORCE_COLOR: 2 NODE: 16 +permissions: + contents: read + jobs: css: runs-on: ubuntu-latest diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml index bbd0a2448bfa..8f3c49f2c6f9 100644 --- a/.github/workflows/release-notes.yml +++ b/.github/workflows/release-notes.yml @@ -6,8 +6,14 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: update_release_draft: + permissions: + contents: write # for release-drafter/release-drafter to create a github release + pull-requests: write # for release-drafter/release-drafter to add label to PR runs-on: ubuntu-latest if: github.repository == 'twbs/bootstrap' steps: From 4c4a28c05bcc38638d59732d3a944f3a119d6799 Mon Sep 17 00:00:00 2001 From: XhmikosR Date: Sat, 12 Nov 2022 09:48:03 +0200 Subject: [PATCH 02/12] Update issue-close-require.yml --- .github/workflows/issue-close-require.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/issue-close-require.yml b/.github/workflows/issue-close-require.yml index 0c30692a81d7..180771cdfac2 100644 --- a/.github/workflows/issue-close-require.yml +++ b/.github/workflows/issue-close-require.yml @@ -10,8 +10,8 @@ permissions: jobs: issue-close-require: permissions: - issues: write # for actions-cool/issues-helper to update issues - pull-requests: write # for actions-cool/issues-helper to update PRs + issues: write # for actions-cool/issues-helper to update issues + pull-requests: write # for actions-cool/issues-helper to update PRs runs-on: ubuntu-latest if: github.repository == 'twbs/bootstrap' steps: From 0ce25b03f32316e750ebefe52d8d49a4624fa395 Mon Sep 17 00:00:00 2001 From: XhmikosR Date: Sat, 12 Nov 2022 09:48:50 +0200 Subject: [PATCH 03/12] Update cspell.yml --- .github/workflows/cspell.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cspell.yml b/.github/workflows/cspell.yml index 92b06ff548fa..a2ed6516b236 100644 --- a/.github/workflows/cspell.yml +++ b/.github/workflows/cspell.yml @@ -17,8 +17,9 @@ permissions: jobs: cspell: permissions: - contents: read # for streetsidesoftware/cspell-action to fetch files for commit - pull-requests: read # for streetsidesoftware/cspell-action to fetch commits for PR + # allow streetsidesoftware/cspell-action to fetch files for commit and PR + contents: read + pull-requests: read runs-on: ubuntu-latest steps: From e83f41f8766e927c574d7a778160ce4f3afa04e8 Mon Sep 17 00:00:00 2001 From: XhmikosR Date: Sat, 12 Nov 2022 09:49:21 +0200 Subject: [PATCH 04/12] Update issue-close-require.yml --- .github/workflows/issue-close-require.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/issue-close-require.yml b/.github/workflows/issue-close-require.yml index 180771cdfac2..a23d73b1c7a0 100644 --- a/.github/workflows/issue-close-require.yml +++ b/.github/workflows/issue-close-require.yml @@ -10,8 +10,9 @@ permissions: jobs: issue-close-require: permissions: - issues: write # for actions-cool/issues-helper to update issues - pull-requests: write # for actions-cool/issues-helper to update PRs + # allow actions-cool/issues-helper to fetch files for issues and PRs + issues: write + pull-requests: write runs-on: ubuntu-latest if: github.repository == 'twbs/bootstrap' steps: From 8ec6bc2944e1f920465b391e9211d92c795489e1 Mon Sep 17 00:00:00 2001 From: XhmikosR Date: Sat, 12 Nov 2022 09:49:28 +0200 Subject: [PATCH 05/12] Update cspell.yml --- .github/workflows/cspell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cspell.yml b/.github/workflows/cspell.yml index a2ed6516b236..da1b0a6044bc 100644 --- a/.github/workflows/cspell.yml +++ b/.github/workflows/cspell.yml @@ -17,7 +17,7 @@ permissions: jobs: cspell: permissions: - # allow streetsidesoftware/cspell-action to fetch files for commit and PR + # allow streetsidesoftware/cspell-action to fetch files for commit and PRs contents: read pull-requests: read runs-on: ubuntu-latest From 7d2262f06443c526df2380d50871c7c1f7ee61bd Mon Sep 17 00:00:00 2001 From: XhmikosR Date: Sat, 12 Nov 2022 09:50:11 +0200 Subject: [PATCH 06/12] Update issue-labeled.yml --- .github/workflows/issue-labeled.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/issue-labeled.yml b/.github/workflows/issue-labeled.yml index 9f57e728b689..584879dd80cf 100644 --- a/.github/workflows/issue-labeled.yml +++ b/.github/workflows/issue-labeled.yml @@ -10,8 +10,9 @@ permissions: jobs: issue-labeled: permissions: - issues: write # for actions-cool/issues-helper to update issues - pull-requests: write # for actions-cool/issues-helper to update PRs + # allow actions-cool/issues-helper to update issues and PRs + issues: write + pull-requests: write if: github.repository == 'twbs/bootstrap' runs-on: ubuntu-latest steps: From 392d1723524669d2b04c4af4a7a7727c2fbf9f9c Mon Sep 17 00:00:00 2001 From: XhmikosR Date: Sat, 12 Nov 2022 09:50:24 +0200 Subject: [PATCH 07/12] Update issue-close-require.yml --- .github/workflows/issue-close-require.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/issue-close-require.yml b/.github/workflows/issue-close-require.yml index a23d73b1c7a0..b5000d8b4350 100644 --- a/.github/workflows/issue-close-require.yml +++ b/.github/workflows/issue-close-require.yml @@ -10,7 +10,7 @@ permissions: jobs: issue-close-require: permissions: - # allow actions-cool/issues-helper to fetch files for issues and PRs + # allow actions-cool/issues-helper to update issues and PRs issues: write pull-requests: write runs-on: ubuntu-latest From 1adf6f793bc4e9c2c025df3accd8c320d9fe74fc Mon Sep 17 00:00:00 2001 From: XhmikosR Date: Sat, 12 Nov 2022 09:50:57 +0200 Subject: [PATCH 08/12] Update js.yml --- .github/workflows/js.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml index c695f485dc04..08d32ed7b01c 100644 --- a/.github/workflows/js.yml +++ b/.github/workflows/js.yml @@ -17,8 +17,9 @@ permissions: jobs: run: permissions: - checks: write # for coverallsapp/github-action to create new checks - contents: read # for actions/checkout to fetch code + # allow coverallsapp/github-action to to create new checks issues and fetch code + checks: write + contents: read name: JS Tests runs-on: ubuntu-latest From 83a631aca2cd3786587ffe389d202a4b073cfe58 Mon Sep 17 00:00:00 2001 From: XhmikosR Date: Sat, 12 Nov 2022 09:51:42 +0200 Subject: [PATCH 09/12] Update release-notes.yml --- .github/workflows/release-notes.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml index 8f3c49f2c6f9..ecb24cb02908 100644 --- a/.github/workflows/release-notes.yml +++ b/.github/workflows/release-notes.yml @@ -12,8 +12,9 @@ permissions: jobs: update_release_draft: permissions: - contents: write # for release-drafter/release-drafter to create a github release - pull-requests: write # for release-drafter/release-drafter to add label to PR + # allow release-drafter/release-drafter to create a GitHub release and add labels to PRs + contents: write + pull-requests: write runs-on: ubuntu-latest if: github.repository == 'twbs/bootstrap' steps: From f4df7b50d8c40de40cea07c29ab68b9e5850bc8d Mon Sep 17 00:00:00 2001 From: XhmikosR Date: Sat, 12 Nov 2022 09:52:08 +0200 Subject: [PATCH 10/12] Update cspell.yml --- .github/workflows/cspell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cspell.yml b/.github/workflows/cspell.yml index da1b0a6044bc..27a04dc57f59 100644 --- a/.github/workflows/cspell.yml +++ b/.github/workflows/cspell.yml @@ -17,7 +17,7 @@ permissions: jobs: cspell: permissions: - # allow streetsidesoftware/cspell-action to fetch files for commit and PRs + # allow streetsidesoftware/cspell-action to fetch files for commits and PRs contents: read pull-requests: read runs-on: ubuntu-latest From 3a324780e0545d7fb01205d7612b7f95b9fd8f93 Mon Sep 17 00:00:00 2001 From: XhmikosR Date: Sat, 12 Nov 2022 09:52:27 +0200 Subject: [PATCH 11/12] Update js.yml --- .github/workflows/js.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml index 08d32ed7b01c..f268546d609b 100644 --- a/.github/workflows/js.yml +++ b/.github/workflows/js.yml @@ -17,7 +17,7 @@ permissions: jobs: run: permissions: - # allow coverallsapp/github-action to to create new checks issues and fetch code + # allow coverallsapp/github-action to create new checks issues and fetch code checks: write contents: read name: JS Tests From d8434af63052493911578ea4725b7bbcd3565ed9 Mon Sep 17 00:00:00 2001 From: XhmikosR Date: Sat, 12 Nov 2022 09:52:42 +0200 Subject: [PATCH 12/12] Update release-notes.yml --- .github/workflows/release-notes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml index ecb24cb02908..f620dd31d1f8 100644 --- a/.github/workflows/release-notes.yml +++ b/.github/workflows/release-notes.yml @@ -12,7 +12,7 @@ permissions: jobs: update_release_draft: permissions: - # allow release-drafter/release-drafter to create a GitHub release and add labels to PRs + # allow release-drafter/release-drafter to create GitHub releases and add labels to PRs contents: write pull-requests: write runs-on: ubuntu-latest