From e8e64f2c30cc8f6195ea81bd1038a3a399403e5b Mon Sep 17 00:00:00 2001 From: e271828- Date: Mon, 1 Dec 2025 10:00:39 -0500 Subject: [PATCH 1/3] =?UTF-8?q?chore:=20workflow=20cleanup=20-=20workflow?= =?UTF-8?q?=20token=20scopes:=20added=20global=20contents:=20read=20defaul?= =?UTF-8?q?t=20=20=20=20=20and=20per-job=20overrides=20to=20grant=20only?= =?UTF-8?q?=20what=E2=80=99s=20required=20(mostly=20actions:=20write=20=20?= =?UTF-8?q?=20=20=20for=20caches,=20issues:=20write=20for=20PR=20comments,?= =?UTF-8?q?=20contents:=20write=20for=20release=20=20=20=20=20publishing)?= =?UTF-8?q?=20in=20.github/workflows/workflow.yml.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/workflow.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index b6869fe..84ae60e 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -13,6 +13,9 @@ on: workflow_dispatch: repository_dispatch: +permissions: + contents: read + concurrency: group: '${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.ref_name }}' cancel-in-progress: true @@ -24,6 +27,9 @@ env: jobs: test: name: Test SDK + permissions: + contents: read + actions: write runs-on: macos-14 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -61,6 +67,9 @@ jobs: sources-lint: name: Lint Source files needs: test + permissions: + contents: read + actions: write runs-on: macos-14 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -82,6 +91,9 @@ jobs: pod-lint: name: Lint Podspec needs: test + permissions: + contents: read + actions: write runs-on: macos-14 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -99,6 +111,9 @@ jobs: carthage-build: name: Carthage Build needs: test + permissions: + contents: read + actions: write runs-on: ${{ matrix.os }} continue-on-error: ${{ matrix.experimental }} strategy: @@ -129,6 +144,9 @@ jobs: swift-package-build: name: Swift Package Build needs: test + permissions: + contents: read + actions: write runs-on: macos-14 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -146,6 +164,10 @@ jobs: size-report: name: Cocoapods size report if: github.event_name == 'pull_request' + permissions: + contents: read + actions: write + issues: write runs-on: macos-14 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -209,6 +231,9 @@ jobs: samples: name: Build Samples needs: test + permissions: + contents: read + actions: write runs-on: ${{ matrix.os }} continue-on-error: ${{ matrix.experimental }} strategy: @@ -246,6 +271,9 @@ jobs: - carthage-build - swift-package-build - samples + permissions: + contents: write + actions: write runs-on: macos-14 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 From 5f1cebd9a2a5590ab6b3fd87842dc0bbe846a05e Mon Sep 17 00:00:00 2001 From: Aliaksandr Babrykovich Date: Mon, 1 Dec 2025 18:57:11 +0100 Subject: [PATCH 2/3] fix: add pull-request write permissin to make create-or-update-comment work --- .github/workflows/workflow.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 84ae60e..721ef81 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -165,6 +165,7 @@ jobs: name: Cocoapods size report if: github.event_name == 'pull_request' permissions: + pull-requests: write contents: read actions: write issues: write From 881f693d402c301b6d7b530a084bf906c60ed1ed Mon Sep 17 00:00:00 2001 From: Aliaksandr Babrykovich Date: Mon, 1 Dec 2025 19:53:09 +0100 Subject: [PATCH 3/3] chore: remove actions write permission --- .github/workflows/workflow.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 721ef81..547cae1 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -29,7 +29,6 @@ jobs: name: Test SDK permissions: contents: read - actions: write runs-on: macos-14 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -69,7 +68,6 @@ jobs: needs: test permissions: contents: read - actions: write runs-on: macos-14 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -93,7 +91,6 @@ jobs: needs: test permissions: contents: read - actions: write runs-on: macos-14 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -113,7 +110,6 @@ jobs: needs: test permissions: contents: read - actions: write runs-on: ${{ matrix.os }} continue-on-error: ${{ matrix.experimental }} strategy: @@ -146,7 +142,6 @@ jobs: needs: test permissions: contents: read - actions: write runs-on: macos-14 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -167,7 +162,6 @@ jobs: permissions: pull-requests: write contents: read - actions: write issues: write runs-on: macos-14 steps: @@ -234,7 +228,6 @@ jobs: needs: test permissions: contents: read - actions: write runs-on: ${{ matrix.os }} continue-on-error: ${{ matrix.experimental }} strategy: @@ -274,7 +267,6 @@ jobs: - samples permissions: contents: write - actions: write runs-on: macos-14 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2