From da5960b6a4e51d78e419fa774f3097012b2cc23c Mon Sep 17 00:00:00 2001 From: Mattia Dal Ben Date: Tue, 1 Oct 2024 11:25:14 +0200 Subject: [PATCH] ci: fix Github actions permissions (#5386) * ci: fix github actions permissions * ci: add contents:write permissions --- .github/workflows/backport.yml | 4 ++++ .github/workflows/release-notes.yml | 11 ++++++++--- .github/workflows/stale-issues.yml | 4 ++++ .github/workflows/version-uptick.yml | 4 ++++ 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index f2ebbdb1f0d..15a903fee8d 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -5,6 +5,10 @@ on: - closed - labeled +permissions: + contents: write + pull-requests: write + jobs: backport: name: Backport diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml index 7be089f2935..5b339da429e 100644 --- a/.github/workflows/release-notes.yml +++ b/.github/workflows/release-notes.yml @@ -12,6 +12,11 @@ on: description: Overwrite the content of TODO fields in generated release notes (typically needed for RC1 notes) required: true default: false + +permissions: + contents: write + pull-requests: write + jobs: main: name: Generate Release Notes @@ -34,7 +39,7 @@ jobs: -Pjava8 )\" >> \"${GITHUB_OUTPUT}\"" shell: bash - + - name: Check file existence id: check_files continue-on-error: true @@ -70,7 +75,7 @@ jobs: -t .github/release_notes_template/template.hbs \ -hhf .github/release_notes_template/helper.hbs \ -of ./kura/distrib/RELEASE_NOTES.txt - + - name: Files exist write description id: get-description if: steps.check_files.outputs.exists == 'true' && github.event.inputs.overwrite == 'false' @@ -80,7 +85,7 @@ jobs: awk 'NR==FNR { desc = (desc == "" ? $0 : desc "\n" $0); next } /\[TODO\]/ && !done { sub(/\[TODO\]/, desc); done=1 } 1' target-env.txt done=0 ./kura/distrib/RELEASE_NOTES.txt > tmpfile && mv tmpfile ./kura/distrib/RELEASE_NOTES.txt awk 'NR==FNR { desc = (desc == "" ? $0 : desc "\n" $0); next } /\[TODO\]/ && !done { sub(/\[TODO\]/, desc); done=1 } 1' known-issues.txt done=0 ./kura/distrib/RELEASE_NOTES.txt > tmpfile && mv tmpfile ./kura/distrib/RELEASE_NOTES.txt shell: bash - + - name: Files exist clean up id: clean-up-files if: steps.check_files.outputs.exists == 'true' && github.event.inputs.overwrite == 'false' diff --git a/.github/workflows/stale-issues.yml b/.github/workflows/stale-issues.yml index e6e5e84b3a8..09b8a74177d 100644 --- a/.github/workflows/stale-issues.yml +++ b/.github/workflows/stale-issues.yml @@ -3,6 +3,10 @@ on: schedule: - cron: "30 1 * * *" +permissions: + issues: write + pull-requests: write + jobs: close-issues: runs-on: ubuntu-latest diff --git a/.github/workflows/version-uptick.yml b/.github/workflows/version-uptick.yml index 5a2a15c3971..6611f24c2be 100644 --- a/.github/workflows/version-uptick.yml +++ b/.github/workflows/version-uptick.yml @@ -18,6 +18,10 @@ on: - uptick_snapshot_to_release.yml required: true +permissions: + contents: write + pull-requests: write + jobs: uptick: runs-on: ubuntu-latest