From b0b66d25867f2483a5d7385ac137d7e522edeb02 Mon Sep 17 00:00:00 2001 From: Philipp Burckhardt Date: Sun, 26 Jan 2025 10:20:52 -0500 Subject: [PATCH] build: tweak permissions and use fine-grained PAT --- type: pre_commit_static_analysis_report description: Results of running static analysis checks when committing changes. report: - task: lint_filenames status: passed - task: lint_editorconfig status: passed - task: lint_markdown status: na - task: lint_package_json status: na - task: lint_repl_help status: na - task: lint_javascript_src status: na - task: lint_javascript_cli status: na - task: lint_javascript_examples status: na - task: lint_javascript_tests status: na - task: lint_javascript_benchmarks status: na - task: lint_python status: na - task: lint_r status: na - task: lint_c_src status: na - task: lint_c_examples status: na - task: lint_c_benchmarks status: na - task: lint_c_tests_fixtures status: na - task: lint_shell status: na - task: lint_typescript_declarations status: na - task: lint_typescript_tests status: na - task: lint_license_headers status: passed --- --- type: pre_push_report description: Results of running various checks prior to pushing changes. report: - task: run_javascript_examples status: na - task: run_c_examples status: na - task: run_cpp_examples status: na - task: run_javascript_readme_examples status: na - task: run_c_benchmarks status: na - task: run_cpp_benchmarks status: na - task: run_fortran_benchmarks status: na - task: run_javascript_benchmarks status: na - task: run_julia_benchmarks status: na - task: run_python_benchmarks status: na - task: run_r_benchmarks status: na - task: run_javascript_tests status: na --- --- .github/workflows/do_not_merge.yml | 3 +-- .github/workflows/first_time_greeting.yml | 6 +++--- .github/workflows/make.yml | 3 +++ .github/workflows/markdown_equations.yml | 6 ++++-- .github/workflows/markdown_links.yml | 3 +++ .github/workflows/markdown_pkg_urls.yml | 8 ++++++-- .github/workflows/markdown_related_packages.yml | 5 ++++- .github/workflows/markdown_src_attributes.yml | 5 ++++- .github/workflows/markdown_tocs.yml | 5 ++++- .github/workflows/namespace_declarations.yml | 5 ++++- .github/workflows/namespace_exports.yml | 5 ++++- 11 files changed, 40 insertions(+), 14 deletions(-) diff --git a/.github/workflows/do_not_merge.yml b/.github/workflows/do_not_merge.yml index 4f8154e81155..9afe2a559e70 100644 --- a/.github/workflows/do_not_merge.yml +++ b/.github/workflows/do_not_merge.yml @@ -43,8 +43,7 @@ jobs: # Define job permissions: permissions: - contents: read - pull-requests: write + pull-requests: read # Define the type of virtual host machine: runs-on: ubuntu-latest diff --git a/.github/workflows/first_time_greeting.yml b/.github/workflows/first_time_greeting.yml index 7fe2362f40d6..c6fc4a1fb583 100644 --- a/.github/workflows/first_time_greeting.yml +++ b/.github/workflows/first_time_greeting.yml @@ -24,8 +24,8 @@ on: [pull_request_target, issues] # Global permissions: permissions: - # Allow read-only access to the repository contents: - contents: read + # Do not give the workflow any permissions: + contents: none # Workflow jobs: jobs: @@ -47,7 +47,7 @@ jobs: # Pin action to full length commit SHA uses: actions/first-interaction@34f15e814fe48ac9312ccf29db4e74fa767cbab7 # v1.3.0 with: - repo-token: ${{ secrets.CHATBOT_GITHUB_TOKEN }} + repo-token: ${{ secrets.STDLIB_BOT_FGPAT_PR_WRITE }} issue-message: | :wave: Hi there! :wave: diff --git a/.github/workflows/make.yml b/.github/workflows/make.yml index 2eb892270f61..93aed441f737 100644 --- a/.github/workflows/make.yml +++ b/.github/workflows/make.yml @@ -64,6 +64,9 @@ jobs: # Specify whether to download Git-LFS files: lfs: false + + # Avoid storing GitHub token in local Git configuration: + persist-credentials: false timeout-minutes: 10 # Install Node.js: diff --git a/.github/workflows/markdown_equations.yml b/.github/workflows/markdown_equations.yml index c81fb38d564f..ba34df033d32 100644 --- a/.github/workflows/markdown_equations.yml +++ b/.github/workflows/markdown_equations.yml @@ -64,6 +64,9 @@ jobs: # Specify whether to download Git-LFS files: lfs: false + + # Avoid storing GitHub token in local Git configuration: + persist-credentials: false timeout-minutes: 10 # Install Node.js: @@ -103,7 +106,6 @@ jobs: git_user_signingkey: true git_commit_gpgsign: true - # Generate list of changed Markdown files: - name: 'Find changed Markdown files' run: | @@ -161,7 +163,7 @@ jobs: commit-message: 'docs: update Markdown equation elements' committer: 'stdlib-bot <82920195+stdlib-bot@users.noreply.github.com>' signoff: true - token: ${{ secrets.PULL_REQUEST_TOKEN }} + token: ${{ secrets.STDLIB_BOT_FGPAT_PR_WRITE }} labels: | documentation automated-pr diff --git a/.github/workflows/markdown_links.yml b/.github/workflows/markdown_links.yml index 859df66cb91c..4acad4751a6e 100644 --- a/.github/workflows/markdown_links.yml +++ b/.github/workflows/markdown_links.yml @@ -76,6 +76,9 @@ jobs: # Specify whether to download Git-LFS files: lfs: false + + # Avoid storing GitHub token in local Git configuration: + persist-credentials: false timeout-minutes: 10 # Initialize log files: diff --git a/.github/workflows/markdown_pkg_urls.yml b/.github/workflows/markdown_pkg_urls.yml index ba046255d4c7..12dc2eefe566 100644 --- a/.github/workflows/markdown_pkg_urls.yml +++ b/.github/workflows/markdown_pkg_urls.yml @@ -70,6 +70,10 @@ jobs: # Specify whether to download Git-LFS files: lfs: false + + # Avoid storing GitHub token in local Git configuration: + persist-credentials: false + timeout-minutes: 10 # Install Node.js: @@ -131,7 +135,7 @@ jobs: fi timeout-minutes: 10 - # Create a pull request with the changes: + # Create a pull request with the changes: - name: 'Create pull request' id: cpr if: steps.update-markdown-pkg-urls.outputs.changed == 'true' @@ -147,7 +151,7 @@ jobs: commit-message: 'docs: update Markdown stdlib package URLs' committer: 'stdlib-bot <82920195+stdlib-bot@users.noreply.github.com>' signoff: true - token: ${{ secrets.PULL_REQUEST_TOKEN }} + token: ${{ secrets.STDLIB_BOT_FGPAT_PR_WRITE }} labels: | documentation automated-pr diff --git a/.github/workflows/markdown_related_packages.yml b/.github/workflows/markdown_related_packages.yml index 27a9ce553106..1440cf13d616 100644 --- a/.github/workflows/markdown_related_packages.yml +++ b/.github/workflows/markdown_related_packages.yml @@ -68,6 +68,9 @@ jobs: # Specify whether to download Git-LFS files: lfs: false + + # Avoid storing GitHub token in local Git configuration: + persist-credentials: false timeout-minutes: 10 # Install Node.js: @@ -159,7 +162,7 @@ jobs: commit-message: 'docs: update related packages sections' committer: 'stdlib-bot <82920195+stdlib-bot@users.noreply.github.com>' signoff: true - token: ${{ secrets.PULL_REQUEST_TOKEN }} + token: ${{ secrets.STDLIB_BOT_FGPAT_PR_WRITE }} labels: | documentation automated-pr diff --git a/.github/workflows/markdown_src_attributes.yml b/.github/workflows/markdown_src_attributes.yml index c2cb872c2946..b90263061b03 100644 --- a/.github/workflows/markdown_src_attributes.yml +++ b/.github/workflows/markdown_src_attributes.yml @@ -23,7 +23,7 @@ name: markdown_src_attributes on: schedule: # Run the workflow once a month on the 1st day of every month: - - cron: "0 0 1 * *" + - cron: '0 0 1 * *' # Allow the workflow to be manually run: workflow_dispatch: @@ -73,6 +73,9 @@ jobs: # Specify whether to download Git-LFS files: lfs: false + + # Avoid storing GitHub token in local Git configuration: + persist-credentials: false timeout-minutes: 10 # Initialize log files: diff --git a/.github/workflows/markdown_tocs.yml b/.github/workflows/markdown_tocs.yml index 7700f60b90dc..f5bee73649e7 100644 --- a/.github/workflows/markdown_tocs.yml +++ b/.github/workflows/markdown_tocs.yml @@ -64,6 +64,9 @@ jobs: # Specify whether to download Git-LFS files: lfs: false + + # Avoid storing GitHub token in local Git configuration: + persist-credentials: false timeout-minutes: 10 # Install Node.js: @@ -129,7 +132,7 @@ jobs: commit-message: 'docs: update namespace table of contents' signoff: true committer: 'stdlib-bot <82920195+stdlib-bot@users.noreply.github.com>' - token: ${{ secrets.PULL_REQUEST_TOKEN }} + token: ${{ secrets.STDLIB_BOT_FGPAT_PR_WRITE }} labels: | documentation automated-pr diff --git a/.github/workflows/namespace_declarations.yml b/.github/workflows/namespace_declarations.yml index 0da71e94c179..49dcc3f2574e 100644 --- a/.github/workflows/namespace_declarations.yml +++ b/.github/workflows/namespace_declarations.yml @@ -64,6 +64,9 @@ jobs: # Specify whether to download Git-LFS files: lfs: false + + # Avoid storing GitHub token in local Git configuration: + persist-credentials: false timeout-minutes: 10 # Install Node.js: @@ -124,7 +127,7 @@ jobs: commit-message: 'feat: update namespace TypeScript declarations' committer: 'stdlib-bot <82920195+stdlib-bot@users.noreply.github.com>' signoff: true - token: ${{ secrets.PULL_REQUEST_TOKEN }} + token: ${{ secrets.STDLIB_BOT_FGPAT_PR_WRITE }} labels: | documentation automated-pr diff --git a/.github/workflows/namespace_exports.yml b/.github/workflows/namespace_exports.yml index 1e2c892847b1..e4995b1fd71f 100644 --- a/.github/workflows/namespace_exports.yml +++ b/.github/workflows/namespace_exports.yml @@ -60,6 +60,9 @@ jobs: # Specify whether to download Git-LFS files: lfs: false + + # Avoid storing GitHub token in local Git configuration: + persist-credentials: false timeout-minutes: 10 # Install Node.js: @@ -136,7 +139,7 @@ jobs: commit-message: 'feat: update namespace exports' committer: 'stdlib-bot <82920195+stdlib-bot@users.noreply.github.com>' signoff: true - token: ${{ secrets.PULL_REQUEST_TOKEN }} + token: ${{ secrets.STDLIB_BOT_FGPAT_PR_WRITE }} labels: | automated-pr team-reviewers: |