Skip to content

Commit 04501d4

Browse files
zMynxxlior-dux_clbt
zMynxx
and
lior-dux_clbt
authored
docs: More restrictive permissions (#280)
* Update README.md * Update README.md * permissions block moved * permissions block moved * Update lint-pr-title-preview-validateSingleCommit.yml * Update lint-pr-title-preview.yml * Update lint-pr-title.yml * Update release.yml * Update versioning.yml * permissions block move, added `-o pipefail` flag for pipe errors * Update lint-pr-title-preview-outputErrorMessage.yml * fix(url): remove ). for the see url msg * Revert to secrets.GITHUB_TOKEN changed back to using secrets.GITHUB_TOKEN as requested by owner --------- Co-authored-by: lior-dux_clbt <[email protected]>
1 parent 40166f0 commit 04501d4

10 files changed

+30
-33
lines changed

.github/workflows/lint-pr-title-preview-ignoreLabels.yml

+2-3
Original file line numberDiff line numberDiff line change
@@ -8,12 +8,11 @@ on:
88
- labeled
99
- unlabeled
1010

11-
permissions:
12-
pull-requests: read
13-
1411
jobs:
1512
main:
1613
runs-on: ubuntu-latest
14+
permissions:
15+
pull-requests: read
1716
steps:
1817
- uses: actions/checkout@v3
1918
- uses: actions/setup-node@v3

.github/workflows/lint-pr-title-preview-outputErrorMessage.yml

+3-4
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,11 @@ on:
66
- edited
77
- synchronize
88

9-
permissions:
10-
pull-requests: write
11-
129
jobs:
1310
main:
1411
runs-on: ubuntu-latest
12+
permissions:
13+
pull-requests: write
1514
steps:
1615
- uses: actions/checkout@v3
1716
- uses: actions/setup-node@v3
@@ -44,4 +43,4 @@ jobs:
4443
uses: marocchino/sticky-pull-request-comment@v2
4544
with:
4645
header: pr-title-lint-error
47-
delete: true
46+
delete: true

.github/workflows/lint-pr-title-preview-validateSingleCommit.yml

+2-3
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,11 @@ on:
66
- edited
77
- synchronize
88

9-
permissions:
10-
pull-requests: read
11-
129
jobs:
1310
main:
1411
runs-on: ubuntu-latest
12+
permissions:
13+
pull-requests: read
1514
steps:
1615
- uses: actions/checkout@v3
1716
- uses: actions/setup-node@v3

.github/workflows/lint-pr-title-preview.yml

+2-3
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,11 @@ on:
66
- edited
77
- synchronize
88

9-
permissions:
10-
pull-requests: read
11-
129
jobs:
1310
main:
1411
runs-on: ubuntu-latest
12+
permissions:
13+
pull-requests: read
1514
steps:
1615
- uses: actions/checkout@v3
1716
- uses: actions/setup-node@v3

.github/workflows/lint-pr-title.yml

+2-3
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,11 @@ on:
66
- edited
77
- synchronize
88

9-
permissions:
10-
pull-requests: read
11-
129
jobs:
1310
main:
1411
runs-on: ubuntu-latest
12+
permissions:
13+
pull-requests: read
1514
steps:
1615
- uses: actions/checkout@v3
1716
- uses: actions/setup-node@v3

.github/workflows/release.yml

+5-6
Original file line numberDiff line numberDiff line change
@@ -4,15 +4,14 @@ on:
44
branches:
55
- main
66

7-
permissions:
8-
contents: write
9-
deployments: write
10-
issues: write
11-
pull-requests: write
12-
137
jobs:
148
main:
159
runs-on: ubuntu-latest
10+
permissions:
11+
contents: write
12+
deployments: write
13+
issues: write
14+
pull-requests: write
1615
steps:
1716
- uses: actions/checkout@v4
1817
- uses: actions/setup-node@v4

.github/workflows/test.yml

+5-4
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,11 @@ on:
66
- reopened
77
- synchronize
88

9-
permissions:
10-
contents: read
11-
129
jobs:
1310
main:
1411
runs-on: ubuntu-latest
12+
permissions:
13+
contents: read
1514
steps:
1615
- uses: actions/checkout@v3
1716
- uses: actions/setup-node@v3
@@ -22,13 +21,15 @@ jobs:
2221

2322
dist:
2423
runs-on: ubuntu-latest
24+
permissions:
25+
contents: read
2526
steps:
2627
- uses: actions/checkout@v3
2728
with:
2829
fetch-depth: 0
2930
- name: Check if `dist/` has been modified.
3031
run: |
31-
set -eux
32+
set -euxo pipefail
3233
3334
if [ $(git diff origin/main --name-only -- 'dist/**' | wc -l) -gt 0 ]
3435
then

.github/workflows/versioning.yml

+2-3
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,10 @@ on:
44
release:
55
types: [published, edited]
66

7-
permissions:
8-
deployments: write
9-
107
jobs:
118
actions-tagger:
129
runs-on: ubuntu-latest
10+
permissions:
11+
deployments: write
1312
steps:
1413
- uses: Actions-R-Us/actions-tagger@v2

README.md

+6-3
Original file line numberDiff line numberDiff line change
@@ -31,13 +31,12 @@ on:
3131
- synchronize
3232
- reopened
3333

34-
permissions:
35-
pull-requests: read
36-
3734
jobs:
3835
main:
3936
name: Validate PR title
4037
runs-on: ubuntu-latest
38+
permissions:
39+
pull-requests: read
4140
steps:
4241
- uses: amannn/action-semantic-pull-request@v5
4342
env:
@@ -135,6 +134,8 @@ jobs:
135134
main:
136135
name: Validate PR title
137136
runs-on: ubuntu-latest
137+
permissions:
138+
pull-requests: read
138139
steps:
139140
- uses: amannn/action-semantic-pull-request@v5
140141
env:
@@ -192,6 +193,8 @@ jobs:
192193
main:
193194
name: Validate PR title
194195
runs-on: ubuntu-latest
196+
permissions:
197+
pull-requests: read
195198
steps:
196199
- uses: amannn/action-semantic-pull-request@v5
197200
id: lint_pr_title

src/index.js

+1-1
Original file line numberDiff line numberDiff line change
@@ -118,7 +118,7 @@ module.exports = async function run() {
118118
});
119119
} catch (error) {
120120
throw new Error(
121-
`Pull request has only one commit and it's not semantic; this may lead to a non-semantic commit in the base branch (see https://github.com/community/community/discussions/16271). Amend the commit message to match the pull request title, or add another commit.`
121+
`Pull request has only one commit and it's not semantic; this may lead to a non-semantic commit in the base branch (see https://github.com/community/community/discussions/16271 ). Amend the commit message to match the pull request title, or add another commit.`
122122
);
123123
}
124124

0 commit comments

Comments
 (0)