ci: SRE-391: Assign job permissions (#1144)

* ci: SRE-384: Fix cancel pipeline

* ci: SRE-391: Assign job permissions

* Remove default permissions

Author: nikitabelonogov

Diff for: .github/workflows/build_bundle.yml

@@ -20,9 +20,11 @@ jobs:
     if: "!contains(github.event.head_commit.message, 'skip ci')"
     steps:
       - uses: hmarr/[email protected]
+
       - name: "Checkout codebase"
         uses: actions/checkout@v3
         with:
+          token: ${{ secrets.GITHUB_TOKEN }}
           ref: ${{ inputs.sha }}
 
       - uses: actions/setup-node@v3

Diff for: .github/workflows/cancel_cicd_pipeline.yml

@@ -1,13 +1,15 @@
 name: "Cancel PR CI/CD pipeline"
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - closed
       - converted_to_draft
       - locked
     branches:
-      - develop
+      - master
+      - 'lse-release/**'
+      - 'ls-release/**'
 
 concurrency:
   group: CI/CD Pipeline-${{ github.event.pull_request.number || github.event.pull_request.head.ref || github.ref_name }}

Diff for: .github/workflows/cicd_pipeline.yml

@@ -21,24 +21,18 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.pull_request.head.ref || github.ref_name }}
   cancel-in-progress: true
 
-permissions: read-all
-
 jobs:
   build_bundle:
     name: "Build JS Bundle"
     if: github.event_name == 'push' || github.event.pull_request.draft == false
     uses: heartexlabs/label-studio-frontend/.github/workflows/build_bundle.yml@master
-    permissions:
-      contents: write
     with:
       sha: ${{ github.event.pull_request.head.sha || github.event.after }}
 
   run_e2e:
     name: "Tests"
     if: github.event_name == 'push' || github.event.pull_request.draft == false
     uses: heartexlabs/label-studio-frontend/.github/workflows/e2e_tests.yml@master
-    permissions:
-      contents: write
     needs:
       - build_bundle
     with:

Diff for: .github/workflows/e2e_tests.yml

@@ -20,9 +20,11 @@ jobs:
     if: "!contains(github.event.head_commit.message, 'skip ci')"
     steps:
       - uses: hmarr/[email protected]
+
       - name: "Checkout codebase"
         uses: actions/checkout@v3
         with:
+          token: ${{ secrets.GITHUB_TOKEN }}
           ref: ${{ inputs.sha }}
 
       - uses: actions/setup-node@v3

Diff for: .github/workflows/eslint.yml

@@ -20,9 +20,11 @@ jobs:
     if: "!contains(github.event.head_commit.message, 'skip ci')"
     steps:
       - uses: hmarr/[email protected]
+
       - name: "Checkout codebase"
         uses: actions/checkout@v3
         with:
+          token: ${{ secrets.GITHUB_TOKEN }}
           ref: ${{ inputs.sha }}
 
       - name: "Setup NodeJS"

Diff for: .github/workflows/unit_tests.yml

@@ -20,9 +20,11 @@ jobs:
     if: "!contains(github.event.head_commit.message, 'skip ci')"
     steps:
       - uses: hmarr/[email protected]
+
       - name: "Checkout codebase"
         uses: actions/checkout@v3
         with:
+          token: ${{ secrets.GITHUB_TOKEN }}
           ref: ${{ inputs.sha }}
 
       - name: "Setup NodeJS"