diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f8bf7720..9722f25b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,10 @@ on: - rc workflow_dispatch: +permissions: + contents: read + pull-requests: write + jobs: test: name: Test / OS ${{ matrix.os }} / Node ${{ matrix.node }} diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml index eeab8673..8f7ddb43 100644 --- a/.github/workflows/conventional-commits.yml +++ b/.github/workflows/conventional-commits.yml @@ -5,8 +5,7 @@ on: branches-ignore: # Run the checks on all branches but the protected ones - master - release/* - - pull_request_target: + pull_request: branches: - master - release/* @@ -31,7 +30,7 @@ jobs: sparse-checkout: | .github - - if: ${{ github.event_name == 'pull_request_target' }} + - if: ${{ github.event_name == 'pull_request' }} run: | set -ex TMP_FILE=$(mktemp) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index ed5ed2de..01d77fea 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -6,6 +6,10 @@ on: - master workflow_dispatch: +permissions: + contents: write + pages: write + jobs: docs: name: Publish docs / OS ${{ matrix.os }} / Node ${{ matrix.node }} diff --git a/.github/workflows/dogfooding.yml b/.github/workflows/dogfooding.yml index 03188b75..59fd7f32 100644 --- a/.github/workflows/dogfooding.yml +++ b/.github/workflows/dogfooding.yml @@ -4,12 +4,15 @@ on: pull_request_review: types: [submitted, edited] - pull_request_target: + pull_request: types: - opened branches: - '*' +permissions: + contents: read + jobs: check_dogfooding: runs-on: ubuntu-latest diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml index e93bd9d2..b7b521d6 100644 --- a/.github/workflows/manual-publish.yml +++ b/.github/workflows/manual-publish.yml @@ -19,6 +19,9 @@ on: type: string required: true +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a9c0f58e..e7a58c76 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,9 @@ on: - master - release/* +permissions: + contents: read + jobs: release_please: runs-on: ubuntu-latest @@ -54,7 +57,7 @@ jobs: # release-please only ignores releases that have a form like [A-Z0-9], so prefixing with rc RELEASE_NAME="rc$RELEASE_VERSION" else - MAIN_RELEASE_VERSION=${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}.${{ steps.release.outputs.patch }} + MAIN_RELEASE_VERSION="${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}.${{ steps.release.outputs.patch }}" RELEASE_VERSION="$MAIN_RELEASE_VERSION" RELEASE_NAME="v$RELEASE_VERSION" fi @@ -125,7 +128,7 @@ jobs: PR_NUMBER='${{ steps.release.outputs.pr && fromJSON(steps.release.outputs.pr).number }}' GH_TOKEN='${{ github.token }}' gh release \ - create $RELEASE_NAME \ + create "$RELEASE_NAM"E \ --title "v$RELEASE_VERSION" \ --prerelease \ -n "This is a release candidate. See release-please PR #$PR_NUMBER for context."