diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 13f8cc65f9..d74030d2f5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,6 +6,9 @@ on: branches: [main] paths-ignore: ["docs/**"] +permissions: + id-token: write + jobs: build: if: github.repository == 'catppuccin/userstyles' @@ -18,7 +21,7 @@ jobs: steps: - uses: actions/checkout@v4 with: - token: ${{ secrets.USERSTYLES_TOKEN }} + persist-credentials: false - name: Setup Deno uses: nekowinston/setup-deno@main diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 95d8c4cb02..00b063c421 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,10 @@ on: push: branches: [main] +permissions: + contents: write + pull-requests: write + jobs: ci: runs-on: ubuntu-latest @@ -59,4 +63,6 @@ jobs: push: false - name: Push changes - run: git push origin "HEAD:${{ github.ref }}" --atomic + run: git push origin "HEAD:$REF" --atomic + env: + REF: ${{ github.ref }} diff --git a/.github/workflows/deno-check.yml b/.github/workflows/deno-check.yml index 38bd9475ab..bdbb172097 100644 --- a/.github/workflows/deno-check.yml +++ b/.github/workflows/deno-check.yml @@ -8,6 +8,8 @@ on: branches: [main] paths: ["**/*.ts"] +permissions: {} + jobs: check: if: github.repository == 'catppuccin/userstyles' @@ -15,6 +17,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Deno uses: nekowinston/setup-deno@main diff --git a/.github/workflows/deno-lock.yml b/.github/workflows/deno-lock.yml index 116e4e0c2a..0ee418db21 100644 --- a/.github/workflows/deno-lock.yml +++ b/.github/workflows/deno-lock.yml @@ -5,6 +5,9 @@ on: branches: [main] paths: ["deno.json"] +permissions: + contents: write + jobs: deno-lock: name: Update Deno lock diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml index 20cb94ca01..26c7718a40 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/issues.yml @@ -5,6 +5,8 @@ on: issues: types: [opened, edited] +permissions: {} + jobs: triage: runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index f26be4d9e4..2919864611 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -8,6 +8,8 @@ on: branches: [main] paths-ignore: ["docs/**"] +permissions: {} + jobs: lint: if: github.repository == 'catppuccin/userstyles' @@ -15,6 +17,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Deno uses: nekowinston/setup-deno@main diff --git a/.github/workflows/maintainers.yml b/.github/workflows/maintainers.yml index e0df2a7250..33ff7b5921 100644 --- a/.github/workflows/maintainers.yml +++ b/.github/workflows/maintainers.yml @@ -6,6 +6,8 @@ on: branches: [main] paths: ["scripts/userstyles.yml"] +permissions: {} + jobs: sync-maintainers: if: github.repository == 'catppuccin/userstyles' @@ -13,6 +15,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Deno uses: nekowinston/setup-deno@main diff --git a/.github/workflows/pull-requests.yml b/.github/workflows/pull-requests.yml index c5150b1c45..69412d3fe4 100644 --- a/.github/workflows/pull-requests.yml +++ b/.github/workflows/pull-requests.yml @@ -1,7 +1,11 @@ name: Pull Request Labeler on: - pull_request_target: + pull_request: + +permissions: + pull-requests: write + contents: read jobs: triage: @@ -10,6 +14,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Add pull request labels uses: actions/labeler@v4.3.0 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 8862ff28af..5d42f70ca6 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -6,6 +6,8 @@ on: branches: [main] paths: [".github/labels.yml"] +permissions: {} + jobs: sync: if: github.repository == 'catppuccin/userstyles' diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml index b290c79402..5a2b2064b3 100644 --- a/.github/workflows/website.yml +++ b/.github/workflows/website.yml @@ -6,6 +6,8 @@ on: branches: [main] paths: ["scripts/userstyles.yml"] +permissions: {} + jobs: deploy: if: github.repository == 'catppuccin/userstyles'