From 056748ba9fac0b935a9a790725c70bdabc2fc8ac Mon Sep 17 00:00:00 2001 From: Clement Tsang <34804052+ClementTsang@users.noreply.github.com> Date: Sat, 11 Apr 2026 18:50:03 -0400 Subject: [PATCH] ci: tweak workflow permissions more (#2026) * ci: fix clear cache workflow permissions * fix perms for deployment/nightly * more finely scope other tasks * fix nightly * change name * fix docs permissions --- .github/workflows/bsd_vm_check.yml | 2 ++ .github/workflows/build_releases.yml | 2 ++ .github/workflows/clear_workflow_cache.yml | 2 ++ .github/workflows/deployment.yml | 11 +++++++---- .github/workflows/docs.yml | 11 +++++++---- .github/workflows/nightly.yml | 16 +++++++++++----- .github/workflows/post_release.yml | 9 ++++++--- .github/workflows/publish_github_pages.yml | 2 ++ 8 files changed, 39 insertions(+), 16 deletions(-) diff --git a/.github/workflows/bsd_vm_check.yml b/.github/workflows/bsd_vm_check.yml index ed6e307b..7e60016a 100644 --- a/.github/workflows/bsd_vm_check.yml +++ b/.github/workflows/bsd_vm_check.yml @@ -1,5 +1,7 @@ # Run BSD VM jobs with manually-implemented retries. +name: "bsd vm check" + on: workflow_call: inputs: diff --git a/.github/workflows/build_releases.yml b/.github/workflows/build_releases.yml index c747e81c..2fbfac2e 100644 --- a/.github/workflows/build_releases.yml +++ b/.github/workflows/build_releases.yml @@ -10,6 +10,8 @@ # TODO: Break this up into scripts instead. # TODO: Trigger this in CI as well if this file changes, so I don't have to spam nightly builds. +name: "build releases" + on: workflow_call: inputs: diff --git a/.github/workflows/clear_workflow_cache.yml b/.github/workflows/clear_workflow_cache.yml index 5891f8df..069828f2 100644 --- a/.github/workflows/clear_workflow_cache.yml +++ b/.github/workflows/clear_workflow_cache.yml @@ -19,6 +19,8 @@ permissions: {} jobs: clear-cache: + permissions: + actions: write if: ${{ github.event_name != 'pull_request' || ! github.event.pull_request.head.repo.fork }} # If it is a PR, only if not a fork runs-on: ubuntu-24.04 env: diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 4295a1f2..f8867ace 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -12,10 +12,7 @@ on: tags: - "[0-9]+.[0-9]+.[0-9]+" -permissions: - id-token: write - contents: read - attestations: write +permissions: {} env: CARGO_INCREMENTAL: 0 @@ -45,6 +42,10 @@ jobs: build-release: needs: [initialize] + permissions: + id-token: write + contents: read + attestations: write uses: ./.github/workflows/build_releases.yml with: caller: "deployment" @@ -97,6 +98,8 @@ jobs: runs-on: ubuntu-24.04 needs: [initialize, generate-choco, build-release] environment: production + permissions: + contents: write steps: - name: Set release version shell: bash diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 362db0b2..15d23219 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,4 +1,4 @@ -# Workflow to deploy mkdocs documentation. +# Workflow to deploy nightly mkdocs documentation. name: docs @@ -18,9 +18,7 @@ on: - "docs/**" - ".github/workflows/docs.yml" -permissions: - pages: write - id-token: write +permissions: {} env: # Assign commit authorship to official GitHub Actions bot when pushing to the `gh-pages` branch: @@ -31,6 +29,8 @@ jobs: build-documentation: name: Build and deploy docs runs-on: ubuntu-24.04 + permissions: + contents: write steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -56,5 +56,8 @@ jobs: publish-gh-pages: needs: [build-documentation] + permissions: + pages: write + id-token: write uses: ./.github/workflows/publish_github_pages.yml secrets: inherit diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 27f2bf3e..821f2c03 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -14,11 +14,7 @@ on: required: false type: boolean -permissions: - id-token: write - contents: read - attestations: write - pages: write +permissions: {} env: CARGO_INCREMENTAL: 0 @@ -53,6 +49,10 @@ jobs: build-release: needs: initialize-job if: ${{ needs.initialize-job.outputs.should_skip != 'true' }} + permissions: + id-token: write + contents: read + attestations: write uses: ./.github/workflows/build_releases.yml with: caller: "nightly" @@ -62,6 +62,8 @@ jobs: name: upload-release needs: build-release runs-on: ubuntu-24.04 + permissions: + contents: write outputs: TAG_NAME: ${{ steps.tag_release_name.outputs.TAG_NAME }} steps: @@ -152,6 +154,10 @@ jobs: docs: needs: [initialize-job, upload-release] if: ${{ needs.initialize-job.outputs.should_skip != 'true' && github.event.inputs.isMock != 'true' }} + permissions: + pages: write + id-token: write + contents: write uses: ./.github/workflows/docs.yml secrets: inherit with: diff --git a/.github/workflows/post_release.yml b/.github/workflows/post_release.yml index 046b3ae9..28967933 100644 --- a/.github/workflows/post_release.yml +++ b/.github/workflows/post_release.yml @@ -13,9 +13,7 @@ on: description: "Which tag to deploy as:" required: true -permissions: - pages: write - id-token: write +permissions: {} env: # Assign commit authorship to official GitHub Actions bot when pushing to the `gh-pages` branch: @@ -48,6 +46,8 @@ jobs: docs: needs: [initialize] runs-on: ubuntu-24.04 + permissions: + contents: write steps: - name: Set release version shell: bash @@ -80,6 +80,9 @@ jobs: publish-gh-pages: needs: [docs] + permissions: + pages: write + id-token: write uses: ./.github/workflows/publish_github_pages.yml secrets: inherit diff --git a/.github/workflows/publish_github_pages.yml b/.github/workflows/publish_github_pages.yml index ae4bf3df..9889b1ce 100644 --- a/.github/workflows/publish_github_pages.yml +++ b/.github/workflows/publish_github_pages.yml @@ -8,6 +8,8 @@ on: workflow_dispatch: workflow_call: +permissions: {} + jobs: build: runs-on: ubuntu-24.04