From 5b73e7d50c88d42d091f4150b702b2cf445df3cc Mon Sep 17 00:00:00 2001 From: Thiha Date: Sun, 24 May 2026 14:54:17 +0700 Subject: [PATCH] ci: set workflow permissions --- .github/workflows/ci.yml | 3 +++ .github/workflows/stable-release.yml | 8 +++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7f756a7..d913521 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,9 @@ name: CI on: pull_request +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/stable-release.yml b/.github/workflows/stable-release.yml index d1b9630..938a9ae 100644 --- a/.github/workflows/stable-release.yml +++ b/.github/workflows/stable-release.yml @@ -8,6 +8,10 @@ on: jobs: release: runs-on: ubuntu-latest + permissions: + contents: write + issues: write + pull-requests: write outputs: has-new-release: ${{ steps.release.outputs.new_release_published }} tag-name: ${{ steps.release.outputs.new_release_git_tag }} @@ -28,6 +32,8 @@ jobs: publish: runs-on: ubuntu-latest + permissions: + contents: read needs: release if: needs.release.outputs.has-new-release == 'true' steps: @@ -43,4 +49,4 @@ jobs: - name: Register run: pnpm publish --no-git-checks env: - NODE_AUTH_TOKEN: ${{secrets.NPM_ACCESS_TOKEN}} \ No newline at end of file + NODE_AUTH_TOKEN: ${{secrets.NPM_ACCESS_TOKEN}}