diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3a0f6772f..2d5b67456 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -90,7 +90,7 @@ jobs: with: firefox-version: latest - name: Download geckodriver - env: + env: GECKODRIVER_VERSION: v0.33.0 run: curl -sL https://github.com/mozilla/geckodriver/releases/download/${{env.GECKODRIVER_VERSION}}/geckodriver-${{env.GECKODRIVER_VERSION}}-linux64.tar.gz | tar xzvf - - name: Add to PATH diff --git a/.github/workflows/dependent-issues.yml b/.github/workflows/dependent-issues.yml index d38ef9bef..e55930b83 100644 --- a/.github/workflows/dependent-issues.yml +++ b/.github/workflows/dependent-issues.yml @@ -20,6 +20,10 @@ on: jobs: check: + permissions: + issues: write + pull-requests: write + statuses: write runs-on: ubuntu-latest steps: - uses: z0al/dependent-issues@v1 diff --git a/.github/workflows/image-cleanup.yml b/.github/workflows/image-cleanup.yml index 46bcac5f4..1884e0ce1 100644 --- a/.github/workflows/image-cleanup.yml +++ b/.github/workflows/image-cleanup.yml @@ -9,12 +9,14 @@ jobs: delete-images: name: Delete PR-scoped test images runs-on: ubuntu-latest + permissions: + packages: write steps: - uses: r26d/ghcr-delete-image-action@v1.2.2 with: owner: ${{ github.repository_owner }} name: cryostat-web - token: ${{ secrets.GHCR_PR_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} ignore-missing-package: true tag-regex: pr-${{ github.event.number }}-.* tagged-keep-latest: 0 diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 20d37f364..0f8167e4c 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,14 +2,13 @@ name: Label pull request on: pull_request_target: - types: + types: - opened - reopened jobs: triage: permissions: - contents: read pull-requests: write runs-on: ubuntu-latest if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' diff --git a/.github/workflows/linked-issue.yml b/.github/workflows/linked-issue.yml index abf45e25b..4f15c8ebd 100644 --- a/.github/workflows/linked-issue.yml +++ b/.github/workflows/linked-issue.yml @@ -11,6 +11,8 @@ on: jobs: verify-linked-issue: runs-on: ubuntu-latest + permissions: + pull-requests: write if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' name: Verify Pull Request references Issue steps: diff --git a/.github/workflows/pr-ci.yml b/.github/workflows/pr-ci.yml index 0bc7d6e42..e90305137 100644 --- a/.github/workflows/pr-ci.yml +++ b/.github/workflows/pr-ci.yml @@ -43,7 +43,7 @@ jobs: repo, comment_id: context.payload.comment.id, content: "+1", - }); + }); checkout-branch: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-labeled.yml b/.github/workflows/pr-labeled.yml index 102c185d6..658dbabd5 100644 --- a/.github/workflows/pr-labeled.yml +++ b/.github/workflows/pr-labeled.yml @@ -11,6 +11,8 @@ on: jobs: check-pr-label-and-comment: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: yashhy/pr-label-check-and-comment-action@v1.0.1 with: diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 5abf1524f..3d3c7b229 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -16,6 +16,8 @@ on: jobs: update_release_draft: runs-on: ubuntu-latest + permissions: + contents: write steps: # Drafts your next Release notes as Pull Requests are merged into "main" - uses: release-drafter/release-drafter@v5 diff --git a/.github/workflows/semantic-pr.yml b/.github/workflows/semantic-pr.yml index c5c8a5df1..e231defc2 100644 --- a/.github/workflows/semantic-pr.yml +++ b/.github/workflows/semantic-pr.yml @@ -11,6 +11,9 @@ on: jobs: main: runs-on: ubuntu-latest + permissions: + pull-requests: write + statuses: write steps: - uses: amannn/action-semantic-pull-request@v3.4.0 env: