Skip to content

Commit 8ac250b

Browse files
Update workflow permissions to remove 'read-all' and set to empty for… (#750)
* Update workflow permissions to remove 'read-all' and set to empty for consistency * Fix Dependabot auto-merge trigger to specify main branch for pull requests
1 parent 0f80427 commit 8ac250b

10 files changed

Lines changed: 17 additions & 21 deletions

.github/workflows/build-and-test.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,7 @@ on:
77
- "bugfix/**"
88
- "hotfix/**"
99

10-
11-
permissions: read-all
10+
permissions: {}
1211

1312
jobs:
1413
build-and-test:

.github/workflows/codequality.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,8 @@ on:
1010
branches:
1111
- main
1212
types: [opened, synchronize, reopened, ready_for_review]
13-
14-
15-
permissions: read-all
13+
14+
permissions: {}
1615

1716
jobs:
1817
quality:
@@ -36,6 +35,7 @@ jobs:
3635
permissions:
3736
contents: read
3837
actions: read
38+
id-token: write
3939
security-events: write
4040
uses: frasermolyneux/actions/.github/workflows/devops-secure-scanning.yml@main
4141

.github/workflows/copilot-setup-steps.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ on:
1111
paths:
1212
- .github/workflows/copilot-setup-steps.yml
1313

14-
permissions: read-all
14+
permissions: {}
1515

1616
jobs:
1717
# The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,18 @@
11
name: Dependabot Auto-Merge
2-
on: pull_request
2+
on:
3+
pull_request:
4+
branches:
5+
- main
36

4-
5-
permissions: read-all
7+
permissions: {}
68

79
jobs:
810
dependabot:
911
permissions:
1012
contents: write
1113
pull-requests: write
1214
runs-on: ubuntu-latest
15+
1316
if: ${{ github.actor == 'dependabot[bot]' }}
1417
steps:
1518
- name: Dependabot metadata
@@ -18,7 +21,7 @@ jobs:
1821
with:
1922
github-token: "${{ secrets.GITHUB_TOKEN }}"
2023
- name: Enable auto-merge for Dependabot PRs
21-
run: gh pr merge --auto --merge "$PR_URL"
24+
run: gh pr merge --auto --squash "$PR_URL"
2225
env:
2326
PR_URL: ${{github.event.pull_request.html_url}}
2427
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/deploy-dev.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,7 @@ name: Deploy Dev
33
on:
44
workflow_dispatch:
55

6-
7-
permissions: read-all
6+
permissions: {}
87

98
jobs:
109
build-and-test:

.github/workflows/deploy-prd.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,7 @@ on:
88
branches:
99
- main
1010

11-
12-
permissions: read-all
11+
permissions: {}
1312

1413
jobs:
1514
build-and-test:

.github/workflows/destroy-development.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,7 @@ on:
55
#schedule:
66
# - cron: "40 0 * * *"
77

8-
9-
permissions: read-all
8+
permissions: {}
109

1110
jobs:
1211
terraform-destroy-dev:

.github/workflows/destroy-environment.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,8 +12,7 @@ on:
1212
- dev
1313
- prd
1414

15-
16-
permissions: read-all
15+
permissions: {}
1716

1817
jobs:
1918
terraform-destroy:

.github/workflows/pr-verify.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,8 +13,7 @@ on:
1313
- main
1414
types: [opened, synchronize, reopened, ready_for_review]
1515

16-
17-
permissions: read-all
16+
permissions: {}
1817

1918
jobs:
2019
build-and-test:

README.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,5 @@
11
# XtremeIdiots Portal - Repository Func
22

3-
[![DevOps Secure Scanning](https://github.com/frasermolyneux/portal-repository-func/actions/workflows/devops-secure-scanning.yml/badge.svg)](https://github.com/frasermolyneux/portal-repository-func/actions/workflows/devops-secure-scanning.yml)
43
[![Code Quality](https://github.com/frasermolyneux/portal-repository-func/actions/workflows/codequality.yml/badge.svg)](https://github.com/frasermolyneux/portal-repository-func/actions/workflows/codequality.yml)
54
[![Build and Test](https://github.com/frasermolyneux/portal-repository-func/actions/workflows/build-and-test.yml/badge.svg)](https://github.com/frasermolyneux/portal-repository-func/actions/workflows/build-and-test.yml)
65
[![PR Verify](https://github.com/frasermolyneux/portal-repository-func/actions/workflows/pr-verify.yml/badge.svg)](https://github.com/frasermolyneux/portal-repository-func/actions/workflows/pr-verify.yml)

0 commit comments

Comments
 (0)