workflows: Order and comments for permissions

Signed-off-by: Loïc Minier <[email protected]>

Author: lool

.github/workflows/build-daily.yml

@@ -7,8 +7,9 @@ on:
   # allow manual runs
   workflow_dispatch:
 
+# implicitely set all other permissions to none
 permissions:
-  contents: read
+  contents: read # debos.yml
 
 jobs:
   build-daily:

.github/workflows/build-on-pr.yml

@@ -3,11 +3,12 @@ name: Build on PR
 on:
   pull_request:
 
+# implicitely set all other permissions to none
 permissions:
-  checks: write  # required by test reporting action
-  pull-requests: write  # required by test reporting action
-  contents: read  # github default
-  packages: read  # github default
+  checks: write # test.yml
+  contents: read # debos.yml lava-schema-check.yml test.yml
+  packages: read # test.yml
+  pull-requests: write # test.yml
 
 jobs:
   event-file:

.github/workflows/build-on-push.yml

@@ -4,11 +4,12 @@ on:
   push:
     branches: [main]
 
+# implicitely set all other permissions to none
 permissions:
-  checks: write
-  pull-requests: write
-  contents: read
-  packages: read
+  checks: write # test.yml
+  contents: read # debos.yml lava-schema-check.yml test.yml
+  packages: read # test.yml
+  pull-requests: write # test.yml
 
 jobs:
   build-daily:

.github/workflows/debos.yml

@@ -7,10 +7,9 @@ on:
         description: "URL to retrieve build artifacts"
         value: ${{ jobs.build-debos.outputs.url }}
 
-# only need permission to read repository; implicitely set all other
-# permissions to none
+# implicitely set all other permissions to none
 permissions:
-  contents: read
+  contents: read # actions/checkout
 
 # cancel in progress builds for this workflow triggered by the same ref
 concurrency:

.github/workflows/linux.yml

@@ -7,10 +7,9 @@ on:
   # allow manual runs
   workflow_dispatch:
 
-# only need permission to read repository; implicitely set all other
-# permissions to none
+# implicitely set all other permissions to none
 permissions:
-  contents: read
+  contents: read # actions/checkout
 
 env:
   # where results will be posted/hosted

.github/workflows/static-checks.yml

@@ -8,10 +8,9 @@ on:
   push:
     branches: [main]
 
-# only need permission to read repository; implicitely set all other
-# permissions to none
+# implicitely set all other permissions to none
 permissions:
-  contents: read
+  contents: read # actions/checkout
 
 # cancel in progress builds for this workflow triggered by the same ref
 concurrency:

.github/workflows/test-pr.yml

@@ -8,11 +8,14 @@ on:
     types:
       - completed
 
+# implicitely set all other permissions to none
 permissions:
-  checks: write  # required by test reporting action
-  pull-requests: write  # required by test reporting action
-  contents: read  # github default
-  packages: read  # github default
+  checks: write # test.yml EnricoMi/publish-unit-test-result-action
+  contents: read # test.yml actions/checkout
+  packages: read # test.yml actions/download-artifact
+  # test.yml EnricoMi/publish-unit-test-result-action
+  # thollander/actions-comment-pull-request
+  pull-requests: write
 
 jobs:
   retrieve-build-url:

.github/workflows/test.yml

@@ -7,11 +7,12 @@ on:
         required: true
         type: string
 
+# implicitely set all other permissions to none
 permissions:
-  checks: write  # EnricoMi/publish-unit-test-result-action
-  pull-requests: write  # EnricoMi/publish-unit-test-result-action
-  contents: read  # actions/checkout
-  packages: read  # actions/download-artifact
+  checks: write # EnricoMi/publish-unit-test-result-action
+  contents: read # actions/checkout
+  packages: read # actions/download-artifact
+  pull-requests: write # EnricoMi/publish-unit-test-result-action
 
 jobs:
   prepare-job-list:

.github/workflows/u-boot.yml

@@ -7,10 +7,9 @@ on:
   # allow manual runs
   workflow_dispatch:
 
-# only need permission to read repository; implicitely set all other
-# permissions to none
+# implicitely set all other permissions to none
 permissions:
-  contents: read
+  contents: read # actions/checkout
 
 env:
   # where results will be posted/hosted