TerribleDev/ente
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[meta] Granular action permissions (#5456)

Browse Source
This commit is contained in:
Manav Rathi
2025-03-28 13:08:45 +05:30
committed by GitHub
parent eb11d80d79 cf7d46fd70
commit d1df2962cb
29 changed files with 103 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/auth-crowdin-push.yml vendored
View File

@@ -9,6 +9,10 @@ on:
# Or the workflow itself is changed
- ".github/workflows/auth-crowdin.yml"
permissions:
contents: write
pull-requests: write
jobs:
push-sources-to-crowdin:
runs-on: ubuntu-latest

4
.github/workflows/auth-crowdin-sync.yml vendored
View File

@@ -8,6 +8,10 @@ on:
# Also allow manually running the workflow.
workflow_dispatch:
permissions:
contents: write
pull-requests: write
jobs:
synchronize-with-crowdin:
runs-on: ubuntu-latest

3
.github/workflows/auth-internal-release.yml vendored
View File

@@ -6,6 +6,9 @@ on:
env:
FLUTTER_VERSION: "3.24.3"
permissions:
contents: write
jobs:
build:
runs-on: ubuntu-latest

5
.github/workflows/auth-lint.yml vendored
View File

@@ -10,6 +10,9 @@ on:
env:
FLUTTER_VERSION: "3.24.3"
permissions:
contents: read
jobs:
lint:
runs-on: ubuntu-latest
@@ -30,7 +33,7 @@ jobs:
exit 1
fi
done
- name: Verify all icons are less than 20KB
run: |
find assets/custom-icons -type f -name "*.svg" | while read -r file; do

3
.github/workflows/auth-release.yml vendored
View File

@@ -31,6 +31,9 @@ on:
env:
FLUTTER_VERSION: "3.24.3"
permissions:
contents: write
jobs:
build-linux-latest:
runs-on: ubuntu-latest

4
.github/workflows/cli-release.yml vendored
View File

@@ -12,6 +12,10 @@ on:
tags:
- "cli-v*"
permissions:
contents: write
packages: write
jobs:
draft-release:
runs-on: ubuntu-latest

3
.github/workflows/copycat-db-release.yml vendored
View File

@@ -3,6 +3,9 @@ name: "Release (copycat-db)"
on:
workflow_dispatch: # Run manually
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest

3
.github/workflows/desktop-lint.yml vendored
View File

@@ -7,6 +7,9 @@ on:
- "desktop/**"
- ".github/workflows/desktop-lint.yml"
permissions:
contents: read
jobs:
lint:
runs-on: ubuntu-latest

3
.github/workflows/docs-deploy.yml vendored
View File

@@ -10,6 +10,9 @@ on:
# Also allow manually running the workflow
workflow_dispatch:
permissions:
contents: read
jobs:
deploy:
runs-on: ubuntu-latest

3
.github/workflows/docs-verify-build.yml vendored
View File

@@ -10,6 +10,9 @@ on:
- "docs/**"
- ".github/workflows/docs-verify-build.yml"
permissions:
contents: read
jobs:
verify-build:
runs-on: ubuntu-latest

3
.github/workflows/infra-deploy-staff.yml vendored
View File

@@ -10,6 +10,9 @@ on:
# Also allow manually running the workflow
workflow_dispatch:
permissions:
contents: read
jobs:
lint:
runs-on: ubuntu-latest

3
.github/workflows/infra-lint-staff.yml vendored
View File

@@ -7,6 +7,9 @@ on:
- "infra/staff/**"
- ".github/workflows/infra-deploy-staff.yml"
permissions:
contents: read
jobs:
deploy:
runs-on: ubuntu-latest

4
.github/workflows/mobile-crowdin-push.yml vendored
View File

@@ -9,6 +9,10 @@ on:
# Or the workflow itself is changed
- ".github/workflows/mobile-crowdin.yml"
permissions:
contents: write
pull-requests: write
jobs:
push-sources-to-crowdin:
runs-on: ubuntu-latest

4
.github/workflows/mobile-crowdin-sync.yml vendored
View File

@@ -8,6 +8,10 @@ on:
# Also allow manually running the workflow.
workflow_dispatch:
permissions:
contents: write
pull-requests: write
jobs:
synchronize-with-crowdin:
runs-on: ubuntu-latest

5
.github/workflows/mobile-internal-release.yml vendored
View File

@@ -6,6 +6,9 @@ on:
env:
FLUTTER_VERSION: "3.24.3"
permissions:
contents: write
jobs:
build:
runs-on: ubuntu-latest
@@ -54,7 +57,7 @@ jobs:
packageName: io.ente.photos
releaseFiles: mobile/build/app/outputs/bundle/playstoreRelease/app-playstore-release.aab
track: internal
- name: Notify Discord
uses: sarisia/actions-status-discord@v1
with:

4
.github/workflows/mobile-lint.yml vendored
View File

@@ -8,9 +8,11 @@ on:
- ".github/workflows/mobile-lint.yml"
env:
FLUTTER_VERSION: "3.24.3"
permissions:
contents: read
jobs:
lint:
runs-on: ubuntu-latest

3
.github/workflows/mobile-release.yml vendored
View File

@@ -11,6 +11,9 @@ on:
env:
FLUTTER_VERSION: "3.24.3"
permissions:
contents: write
jobs:
build:
runs-on: ubuntu-latest

3
.github/workflows/server-lint.yml vendored
View File

@@ -7,6 +7,9 @@ on:
- "server/**"
- ".github/workflows/server-lint.yml"
permissions:
contents: read
jobs:
lint:
runs-on: ubuntu-latest

4
.github/workflows/server-publish-ghcr.yml vendored
View File

@@ -7,6 +7,10 @@ on:
# Run manually if needed to publish out of schedule.
workflow_dispatch:
permissions:
contents: read
packages: write
jobs:
publish:
runs-on: ubuntu-latest

3
.github/workflows/server-release.yml vendored
View File

@@ -3,6 +3,9 @@ name: "Release (server)"
on:
workflow_dispatch: # Run manually
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest

4
.github/workflows/web-crowdin-push-both.yml vendored
View File

@@ -12,6 +12,10 @@ on:
# `gh workflow run web-crowdin-push-both.yml --ref <my-branch>`
workflow_dispatch:
permissions:
contents: write
pull-requests: write
jobs:
push-both-to-crowdin:
runs-on: ubuntu-latest

9
.github/workflows/web-crowdin-sync.yml vendored
View File

@@ -22,6 +22,15 @@ on:
# Also allow manually running the workflow.
workflow_dispatch:
# "In order to push translations and create pull requests, the Crowdin GitHub
# action requires the `GITHUB_TOKEN` to have write permission on the `contents`
# and `pull-requests`.
#
# - https://github.com/crowdin/github-action?tab=readme-ov-file#permissions
permissions:
contents: write
pull-requests: write
jobs:
synchronize-with-crowdin:
runs-on: ubuntu-latest

3
.github/workflows/web-deploy-one.yml vendored
View File

@@ -15,6 +15,9 @@ on:
- "payments"
- "photos"
permissions:
contents: read
jobs:
deploy:
runs-on: ubuntu-latest

3
.github/workflows/web-deploy-preview.yml vendored
View File

@@ -15,6 +15,9 @@ on:
- "payments"
- "photos"
permissions:
contents: read
jobs:
deploy:
runs-on: ubuntu-latest

3
.github/workflows/web-deploy-staging.yml vendored
View File

@@ -11,6 +11,9 @@ on:
# Also allow manually running the workflow
workflow_dispatch:
permissions:
contents: read
jobs:
deploy:
runs-on: ubuntu-latest

3
.github/workflows/web-deploy.yml vendored
View File

@@ -19,6 +19,9 @@ on:
# Also allow manually running the workflow
workflow_dispatch:
permissions:
contents: read
jobs:
deploy:
runs-on: ubuntu-latest

3
.github/workflows/web-lint.yml vendored
View File

@@ -7,6 +7,9 @@ on:
- "web/**"
- ".github/workflows/web-lint.yml"
permissions:
contents: read
# Cancel in-progress lint runs when a new commit is pushed.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}

4
.github/workflows/web-publish-ghcr.yml vendored
View File

@@ -7,6 +7,10 @@ on:
# Run manually if needed to publish out of schedule.
workflow_dispatch:
permissions:
contents: read
packages: write
jobs:
publish:
runs-on: ubuntu-latest

3
desktop/.github/workflows/desktop-release.yml vendored
View File

@@ -22,6 +22,9 @@ on:
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
permissions:
contents: write
jobs:
release:
runs-on: ${{ matrix.os }}