Granular Workflow Permissions (#19026)

* Set granular write permissions where needed for individual jobs in GitHub Actions. * Move the permissions sections to before the steps section. * Fix whitespace. * Remove extra tabs.
DataDog · Nov 15, 2024 · 87a445b · 87a445b
1 parent 3fa69c8
commit 87a445b
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 2 deletions.
diff --git a/.github/workflows/build-ddev.yml b/.github/workflows/build-ddev.yml
@@ -575,6 +575,9 @@ jobs:
     - macos-packaging
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
     steps:
     - name: Download Python artifacts
       uses: actions/download-artifact@v4

diff --git a/.github/workflows/build-deps.yml b/.github/workflows/build-deps.yml
@@ -203,6 +203,9 @@ jobs:
       OUT_DIR: output/macos-x86_64
       DD_PYTHON3: "/Library/Frameworks/Python.framework/Versions/3.12/bin/python"
 
+    permissions:
+      packages: write
+
     steps:
     - name: Set up environment
       run: |-

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -71,6 +71,9 @@ jobs:
     needs:
     - build
 
+    permissions:
+      contents: write
+
     steps:
     - uses: actions/download-artifact@v4
       with:

diff --git a/.github/workflows/pr-quick-check.yml b/.github/workflows/pr-quick-check.yml
@@ -68,11 +68,19 @@ jobs:
             - '*/changelog.d/*.removed'
             - '*/changelog.d/*.major'
 
+    - name: Create token
+      uses: actions/create-github-app-token@v1
+      id: token-generator
+      with:
+        app-id: ${{ secrets.DD_AGENT_INTEGRATIONS_BOT_APP_ID }}
+        private-key: ${{ secrets.DD_AGENT_INTEGRATIONS_BOT_PRIVATE_KEY }}
+        repositories: integrations-core
+
     - name: Comment
       if: ${{ steps.changes.outputs.major_bump_fragments == 'true' }}
       uses: actions/github-script@v7
       with:
-        github-token: ${{ secrets.GITHUB_TOKEN }}
+        github-token: ${{ steps.token-generator.outputs.token }}
         script: |
           const { issue: { number: issue_number }, repo: { owner, repo }  } = context;
           github.rest.issues.createComment({ issue_number, owner, repo, body: "The changelog type `changed` or `removed` was used in this Pull Request, so the next release will bump major version. Please make sure this is a breaking change, or use the `fixed` or `added` type instead." });
diff --git a/.github/workflows/release-hash-check.yml b/.github/workflows/release-hash-check.yml
@@ -11,6 +11,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
     steps:
     - uses: actions/checkout@v4
       with:

diff --git a/.github/workflows/run-validations.yml b/.github/workflows/run-validations.yml
@@ -247,12 +247,20 @@ jobs:
       if: inputs.codeowners
       run: ddev validate codeowners
 
+    - name: Create token
+      uses: actions/create-github-app-token@v1
+      id: token-generator
+      with:
+        app-id: ${{ secrets.DD_AGENT_INTEGRATIONS_BOT_APP_ID }}
+        private-key: ${{ secrets.DD_AGENT_INTEGRATIONS_BOT_PRIVATE_KEY }}
+        repositories: integrations-core
+
     - name: Comment PR on failure
       if: ${{ failure() && github.event.pull_request.merged != true }}
       uses: actions/github-script@v7
       continue-on-error: true
       with:
-        github-token: ${{ secrets.GITHUB_TOKEN }}
+        github-token: ${{ steps.token-generator.outputs.token }}
         script: |
           const { issue: { number: issue_number }, repo: { owner, repo }  } = context;
           github.rest.issues.createComment({ issue_number, owner, repo, body: "The `validations` job has failed; please review the `Files changed` tab for possible suggestions to resolve." });
-Original file line number
+Diff line change
@@ Expand Up / @@ -71,6 +71,9 @@ jobs: @@
         needs:
         - build
+        permissions:
+          contents: write
         steps:
         - uses: actions/download-artifact@v4
           with:
@@ Expand Down @@