Cleanup github actions files (#141)

Author: kevinwcyu

.github/workflows/issue_commands.yml

@@ -4,6 +4,9 @@ on:
     types: [labeled, unlabeled]
 jobs:
   main:
+    permissions:
+      contents: read
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions
@@ -12,6 +15,7 @@ jobs:
           repository: 'grafana/grafana-github-actions'
           path: ./actions
           ref: main
+          persist-credentials: false
       - name: Install Actions
         run: npm install --production --prefix ./actions
       - name: 'Generate token'

.github/workflows/pr-commands.yml

@@ -8,6 +8,9 @@ concurrency:
   group: pr-commands-${{ github.event.number }}
 jobs:
   main:
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions
@@ -16,6 +19,7 @@ jobs:
           repository: 'grafana/grafana-github-actions'
           path: ./actions
           ref: main
+          persist-credentials: false
       - name: Install Actions
         run: npm install --production --prefix ./actions
       - name: 'Generate token'

.github/workflows/publish-npm.yml

@@ -4,10 +4,15 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   npm-publish:
     name: Publish to NPM & GitHub Package Registry
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     outputs:
       new_version: ${{ steps.version_check.outputs.version }}
       version_changed: ${{ steps.version_check.outputs.changed }}
@@ -16,17 +21,21 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: main
+          persist-credentials: false
       # limit releases to version changes - https://github.com/EndBug/version-check
       - name: Check version changes
-        uses: EndBug/version-check@v2
+        uses: EndBug/version-check@36ff30f37c7deabe56a30caa043d127be658c425 # v2.1.5
         id: version_check
         with:
           file-url: https://unpkg.com/@grafana/aws-sdk@latest/package.json
           static-checking: localIsNew
 
       - name: Version update detected
+        env:
+          VERSION: ${{ steps.version_check.outputs.version }}
+          TYPE: ${{ steps.version_check.outputs.type }}
         if: steps.version_check.outputs.changed == 'true'
-        run: 'echo "Version change found! New version: ${{ steps.version_check.outputs.version }} (${{ steps.version_check.outputs.type }})"'
+        run: 'echo "Version change found! New version: ${VERSION} (${TYPE})"'
 
       - name: Setup .npmrc file for NPM registry
         if: steps.version_check.outputs.changed == 'true'
@@ -67,16 +76,23 @@ jobs:
     runs-on: ubuntu-latest
     needs: npm-publish
     if: needs.npm-publish.outputs.version_changed == 'true'
+    permissions:
+      contents: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Create Release Notes
         uses: actions/[email protected]
+        env:
+          TAG_NAME: "v${{ needs.npm-publish.outputs.new_version }}"
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
+            const { TAG_NAME } = process.env
             await github.request(`POST /repos/${{ github.repository }}/releases`, {
-              tag_name: "v${{ needs.npm-publish.outputs.new_version }}",
+              tag_name: `${TAG_NAME}`,
               generate_release_notes: true
             });