From 87a445b3b01bf64f922744b9566cb00045586583 Mon Sep 17 00:00:00 2001
From: Enrico Donnici <enrico@nubtron.com>
Date: Fri, 15 Nov 2024 17:00:39 +0100
Subject: [PATCH] Granular Workflow Permissions (#19026)

* Set granular write permissions where needed for individual jobs in GitHub Actions.

* Move the permissions sections to before the steps section.

* Fix whitespace.

* Remove extra tabs.
---
 .github/workflows/build-ddev.yml         |  3 +++
 .github/workflows/build-deps.yml         |  3 +++
 .github/workflows/docs.yml               |  3 +++
 .github/workflows/pr-quick-check.yml     | 10 +++++++++-
 .github/workflows/release-hash-check.yml |  3 +++
 .github/workflows/run-validations.yml    | 10 +++++++++-
 6 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-ddev.yml b/.github/workflows/build-ddev.yml
index 420238b467ecb..8f0e541b64b28 100644
--- a/.github/workflows/build-ddev.yml
+++ b/.github/workflows/build-ddev.yml
@@ -575,6 +575,9 @@ jobs:
     - macos-packaging
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+      
     steps:
     - name: Download Python artifacts
       uses: actions/download-artifact@v4
diff --git a/.github/workflows/build-deps.yml b/.github/workflows/build-deps.yml
index 0052055a900e8..4d15e622e2d46 100644
--- a/.github/workflows/build-deps.yml
+++ b/.github/workflows/build-deps.yml
@@ -203,6 +203,9 @@ jobs:
       OUT_DIR: output/macos-x86_64
       DD_PYTHON3: "/Library/Frameworks/Python.framework/Versions/3.12/bin/python"
 
+    permissions:
+      packages: write
+
     steps:
     - name: Set up environment
       run: |-
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 4113adce459bf..3767cdb3d79f7 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -71,6 +71,9 @@ jobs:
     needs:
     - build
 
+    permissions:
+      contents: write
+      
     steps:
     - uses: actions/download-artifact@v4
       with:
diff --git a/.github/workflows/pr-quick-check.yml b/.github/workflows/pr-quick-check.yml
index 40bf4f8e07cf4..65391ab729ab0 100644
--- a/.github/workflows/pr-quick-check.yml
+++ b/.github/workflows/pr-quick-check.yml
@@ -68,11 +68,19 @@ jobs:
             - '*/changelog.d/*.removed'
             - '*/changelog.d/*.major'
 
+    - name: Create token
+      uses: actions/create-github-app-token@v1
+      id: token-generator
+      with:
+        app-id: ${{ secrets.DD_AGENT_INTEGRATIONS_BOT_APP_ID }}
+        private-key: ${{ secrets.DD_AGENT_INTEGRATIONS_BOT_PRIVATE_KEY }}
+        repositories: integrations-core
+
     - name: Comment
       if: ${{ steps.changes.outputs.major_bump_fragments == 'true' }}
       uses: actions/github-script@v7
       with:
-        github-token: ${{ secrets.GITHUB_TOKEN }}
+        github-token: ${{ steps.token-generator.outputs.token }}
         script: |
           const { issue: { number: issue_number }, repo: { owner, repo }  } = context;
           github.rest.issues.createComment({ issue_number, owner, repo, body: "The changelog type `changed` or `removed` was used in this Pull Request, so the next release will bump major version. Please make sure this is a breaking change, or use the `fixed` or `added` type instead." });
diff --git a/.github/workflows/release-hash-check.yml b/.github/workflows/release-hash-check.yml
index 9bc603a3ed1d4..3d86d3477d4ff 100644
--- a/.github/workflows/release-hash-check.yml
+++ b/.github/workflows/release-hash-check.yml
@@ -11,6 +11,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
     steps:
     - uses: actions/checkout@v4
       with:
diff --git a/.github/workflows/run-validations.yml b/.github/workflows/run-validations.yml
index 234c20233de56..c4bd14d6876c1 100644
--- a/.github/workflows/run-validations.yml
+++ b/.github/workflows/run-validations.yml
@@ -247,12 +247,20 @@ jobs:
       if: inputs.codeowners
       run: ddev validate codeowners
 
+    - name: Create token
+      uses: actions/create-github-app-token@v1
+      id: token-generator
+      with:
+        app-id: ${{ secrets.DD_AGENT_INTEGRATIONS_BOT_APP_ID }}
+        private-key: ${{ secrets.DD_AGENT_INTEGRATIONS_BOT_PRIVATE_KEY }}
+        repositories: integrations-core
+
     - name: Comment PR on failure
       if: ${{ failure() && github.event.pull_request.merged != true }}
       uses: actions/github-script@v7
       continue-on-error: true
       with:
-        github-token: ${{ secrets.GITHUB_TOKEN }}
+        github-token: ${{ steps.token-generator.outputs.token }}
         script: |
           const { issue: { number: issue_number }, repo: { owner, repo }  } = context;
           github.rest.issues.createComment({ issue_number, owner, repo, body: "The `validations` job has failed; please review the `Files changed` tab for possible suggestions to resolve." });