Fix workflow permissions and cleanup

2026-01-30 16:04:23 +08:00 · 2026-01-29 02:17:35 -08:00 · 2026-01-29 02:17:35 -08:00 · 94056f1871
commit 94056f1871
parent b56bb3a202
6 changed files with 45 additions and 30 deletions
--- a/.github/workflows/check-dist.yml
+++ b/.github/workflows/check-dist.yml
@ -11,6 +11,9 @@ on:
      - '**.md'
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  call-check-dist:
    name: Check dist/
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -6,15 +6,14 @@ on:
  schedule:
    - cron: '0 19 * * 0'

+permissions:
+  contents: read
+  security-events: write
+
 jobs:
  CodeQL-Build:
    # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
    runs-on: ubuntu-latest
-
-    permissions:
-      # required for all workflows
-      security-events: write
-
    steps:
    - name: Checkout repository
      uses: actions/checkout@v5
--- a/.github/workflows/issue-opened-workflow.yml
+++ b/.github/workflows/issue-opened-workflow.yml
@ -1,16 +1,21 @@
 name: Assign issue
+
 on:
  issues:
    types: [opened]
+
+permissions:
+  issues: write
+
 jobs:
  run-action:
    runs-on: ubuntu-latest
    steps:
-    - name: Get current oncall
-      id: oncall
-      run: |
-        echo "CURRENT=$(curl --request GET 'https://api.pagerduty.com/oncalls?include[]=users&schedule_ids[]=P5VG2BX&earliest=true' --header 'Authorization: Token token=${{ secrets.PAGERDUTY_TOKEN }}' --header 'Accept: application/vnd.pagerduty+json;version=2' --header 'Content-Type: application/json' | jq -r '.oncalls[].user.name')" >> $GITHUB_OUTPUT
-    
-    - name: add_assignees
-      run: |
-        curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/issues/${{ github.event.issue.number}}/assignees -d '{"assignees":["${{steps.oncall.outputs.CURRENT}}"]}'
+      - name: Get current oncall
+        id: oncall
+        run: |
+          echo "CURRENT=$(curl --request GET 'https://api.pagerduty.com/oncalls?include[]=users&schedule_ids[]=P5VG2BX&earliest=true' --header 'Authorization: Token token=${{ secrets.PAGERDUTY_TOKEN }}' --header 'Accept: application/vnd.pagerduty+json;version=2' --header 'Content-Type: application/json' | jq -r '.oncalls[].user.name')" >> $GITHUB_OUTPUT
+
+      - name: add_assignees
+        run: |
+          curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/issues/${{ github.event.issue.number}}/assignees -d '{"assignees":["${{steps.oncall.outputs.CURRENT}}"]}'
--- a/.github/workflows/licensed.yml
+++ b/.github/workflows/licensed.yml
@ -9,6 +9,9 @@ on:
      - main
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  validate-cached-dependency-records:
    runs-on: ubuntu-latest
--- a/.github/workflows/pr-opened-workflow.yml
+++ b/.github/workflows/pr-opened-workflow.yml
@ -1,20 +1,25 @@
 name: Add Reviewer PR
+
 on:
  pull_request_target:
    types: [opened]
+
+permissions:
+  pull-requests: write
+
 jobs:
  run-action:
    runs-on: ubuntu-latest
    steps:
-    - name: Get current oncall
-      id: oncall
-      run: |
-        echo "CURRENT=$(curl --request GET 'https://api.pagerduty.com/oncalls?include[]=users&schedule_ids[]=P5VG2BX&earliest=true' --header 'Authorization: Token token=${{ secrets.PAGERDUTY_TOKEN }}' --header 'Accept: application/vnd.pagerduty+json;version=2' --header 'Content-Type: application/json' | jq -r '.oncalls[].user.name')" >> $GITHUB_OUTPUT
-    
-    - name: Request Review
-      run: |
-        curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/pulls/${{ github.event.pull_request.number}}/requested_reviewers -d '{"reviewers":["${{steps.oncall.outputs.CURRENT}}"]}'
-        
-    - name: Add Assignee
-      run: |
-        curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/issues/${{ github.event.pull_request.number}}/assignees -d '{"assignees":["${{steps.oncall.outputs.CURRENT}}"]}'    
+      - name: Get current oncall
+        id: oncall
+        run: |
+          echo "CURRENT=$(curl --request GET 'https://api.pagerduty.com/oncalls?include[]=users&schedule_ids[]=P5VG2BX&earliest=true' --header 'Authorization: Token token=${{ secrets.PAGERDUTY_TOKEN }}' --header 'Accept: application/vnd.pagerduty+json;version=2' --header 'Content-Type: application/json' | jq -r '.oncalls[].user.name')" >> $GITHUB_OUTPUT
+
+      - name: Request Review
+        run: |
+          curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/pulls/${{ github.event.pull_request.number}}/requested_reviewers -d '{"reviewers":["${{steps.oncall.outputs.CURRENT}}"]}'
+
+      - name: Add Assignee
+        run: |
+          curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/issues/${{ github.event.pull_request.number}}/assignees -d '{"assignees":["${{steps.oncall.outputs.CURRENT}}"]}'    
--- a/.github/workflows/publish-immutable-actions.yml
+++ b/.github/workflows/publish-immutable-actions.yml
@ -4,14 +4,14 @@ on:
  release:
    types: [released]

+permissions:
+  contents: read
+  id-token: write
+  packages: write
+
 jobs:
  publish:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-
    steps:
      - name: Checking out
        uses: actions/checkout@v5