ci: use consistent permissions in workflows (#2)

2026-02-13 00:25:10 -05:00 · 2024-07-12 17:08:45 -06:00
parent 0adb59c273
commit 2fa93f3f70
3 changed files with 8 additions and 9 deletions
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -24,16 +24,15 @@ permissions: read-all
 jobs:
  lint:
    if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}"
-    name: run lint
+    name: lint
    runs-on: ubuntu-latest
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}
      cancel-in-progress: true
    permissions:
      contents: 'read'
-      id-token: 'write'
-      issues: write
-      pull-requests: write
+      issues: 'write'
+      pull-requests: 'write'
    steps:
      - name: Remove PR Label
        if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}"
--- a/.github/workflows/sync-labels.yaml
+++ b/.github/workflows/sync-labels.yaml
@@ -25,8 +25,9 @@ jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
-      issues: write
-      pull-requests: write
+      contents: 'read'
+      issues: 'write'
+      pull-requests: 'write'
    steps:
      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
      - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -37,9 +37,8 @@ jobs:
      fail-fast: false
    permissions:
      contents: 'read'
-      id-token: 'write'
-      issues: write
-      pull-requests: write
+      issues: 'write'
+      pull-requests: 'write'
    steps:
      - name: Remove PR label
        if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}"