chore: explicit permission in actions (#3411)

doublethink · sweatybridge · web-flow · commit 09d48700439e · 2025-05-23T22:47:08.000+08:00
* ci: explicit permission in actions

* fix: pnpm allow build flag

* chore: add comment

---------

Co-authored-by: Qiao Han &lt;qiao@supabase.io&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - develop
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test
diff --git a/.github/workflows/deploy-check.yml b/.github/workflows/deploy-check.yml
@@ -1,7 +1,7 @@
 name: Check Deploy
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - reopened
@@ -10,6 +10,9 @@ on:
     branches:
       - main
 
+permissions: 
+  contents: read
+
 jobs:
   check:
     if: github.head_ref != 'develop'
diff --git a/.github/workflows/install.yml b/.github/workflows/install.yml
@@ -14,6 +14,9 @@ on:
       - 'package.json'
       - 'scripts/**'
 
+permissions:
+  contents: write
+
 jobs:
   pack:
     runs-on: ubuntu-latest
@@ -99,7 +102,8 @@ jobs:
 
       - run: npm install -g pnpm
       - run: pnpm init
-      - run: pnpm i --save-dev ./supabase-1.28.0.tgz
+      # https://github.com/pnpm/pnpm/issues/9124#issuecomment-2663021284
+      - run: pnpm i --save-dev ./supabase-1.28.0.tgz --allow-build=supabase
       - run: pnpm supabase --version
 
   bun:
diff --git a/.github/workflows/mirror-image.yml b/.github/workflows/mirror-image.yml
@@ -13,6 +13,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   mirror:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml
@@ -19,6 +19,9 @@ on:
       - submitted
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   setup:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pg-prove.yml b/.github/workflows/pg-prove.yml
@@ -3,6 +3,9 @@ name: Publish pg_prove
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   settings:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-migra.yml b/.github/workflows/publish-migra.yml
@@ -3,6 +3,9 @@ name: Publish migra
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   settings:
     runs-on: ubuntu-latest
@@ -70,9 +73,9 @@ jobs:
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Merge multi-arch manifests
         run: |
-          docker buildx imagetools create -t ${{ needs.settings.outputs.image_tag }} \
-          ${{ needs.settings.outputs.image_tag }}_amd64 \
-          ${{ needs.settings.outputs.image_tag }}_arm64
+          docker buildx imagetools create -t "${{ needs.settings.outputs.image_tag }}" \
+          "${{ needs.settings.outputs.image_tag }}_amd64" \
+          "${{ needs.settings.outputs.image_tag }}_arm64"
 
   publish:
     needs:
diff --git a/.github/workflows/release-beta.yml b/.github/workflows/release-beta.yml
@@ -6,6 +6,9 @@ on:
       - develop
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 jobs:
   release:
     name: semantic-release
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,6 +6,10 @@ on:
       - main
   workflow_call:
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
   settings:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tag-npm.yml b/.github/workflows/tag-npm.yml
@@ -13,6 +13,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   tag:
     name: Move latest tag
