From 038f6b33e140a7d60e8ea91b134c762be80cc47c Mon Sep 17 00:00:00 2001 From: Manav Rathi Date: Fri, 28 Mar 2025 12:22:47 +0530 Subject: [PATCH 1/5] granular perms [crowdin] --- .github/workflows/auth-crowdin-push.yml | 4 ++++ .github/workflows/auth-crowdin-sync.yml | 4 ++++ .github/workflows/mobile-crowdin-push.yml | 4 ++++ .github/workflows/mobile-crowdin-sync.yml | 4 ++++ .github/workflows/web-crowdin-push-both.yml | 4 ++++ .github/workflows/web-crowdin-sync.yml | 9 +++++++++ 6 files changed, 29 insertions(+) diff --git a/.github/workflows/auth-crowdin-push.yml b/.github/workflows/auth-crowdin-push.yml index 5c81291012..4cefb1d1c6 100644 --- a/.github/workflows/auth-crowdin-push.yml +++ b/.github/workflows/auth-crowdin-push.yml @@ -9,6 +9,10 @@ on: # Or the workflow itself is changed - ".github/workflows/auth-crowdin.yml" +permissions: + contents: write + pull-requests: write + jobs: push-sources-to-crowdin: runs-on: ubuntu-latest diff --git a/.github/workflows/auth-crowdin-sync.yml b/.github/workflows/auth-crowdin-sync.yml index b8027c82f0..695aea7245 100644 --- a/.github/workflows/auth-crowdin-sync.yml +++ b/.github/workflows/auth-crowdin-sync.yml @@ -8,6 +8,10 @@ on: # Also allow manually running the workflow. workflow_dispatch: +permissions: + contents: write + pull-requests: write + jobs: synchronize-with-crowdin: runs-on: ubuntu-latest diff --git a/.github/workflows/mobile-crowdin-push.yml b/.github/workflows/mobile-crowdin-push.yml index 2c77ebc69b..e8b219d5c7 100644 --- a/.github/workflows/mobile-crowdin-push.yml +++ b/.github/workflows/mobile-crowdin-push.yml @@ -9,6 +9,10 @@ on: # Or the workflow itself is changed - ".github/workflows/mobile-crowdin.yml" +permissions: + contents: write + pull-requests: write + jobs: push-sources-to-crowdin: runs-on: ubuntu-latest diff --git a/.github/workflows/mobile-crowdin-sync.yml b/.github/workflows/mobile-crowdin-sync.yml index 39062cd6f5..f064105331 100644 --- a/.github/workflows/mobile-crowdin-sync.yml +++ b/.github/workflows/mobile-crowdin-sync.yml @@ -8,6 +8,10 @@ on: # Also allow manually running the workflow. workflow_dispatch: +permissions: + contents: write + pull-requests: write + jobs: synchronize-with-crowdin: runs-on: ubuntu-latest diff --git a/.github/workflows/web-crowdin-push-both.yml b/.github/workflows/web-crowdin-push-both.yml index f836537b01..dff2bde520 100644 --- a/.github/workflows/web-crowdin-push-both.yml +++ b/.github/workflows/web-crowdin-push-both.yml @@ -12,6 +12,10 @@ on: # `gh workflow run web-crowdin-push-both.yml --ref ` workflow_dispatch: +permissions: + contents: write + pull-requests: write + jobs: push-both-to-crowdin: runs-on: ubuntu-latest diff --git a/.github/workflows/web-crowdin-sync.yml b/.github/workflows/web-crowdin-sync.yml index f81e27c352..6a6e4dd243 100644 --- a/.github/workflows/web-crowdin-sync.yml +++ b/.github/workflows/web-crowdin-sync.yml @@ -22,6 +22,15 @@ on: # Also allow manually running the workflow. workflow_dispatch: +# "In order to push translations and create pull requests, the Crowdin GitHub +# action requires the `GITHUB_TOKEN` to have write permission on the `contents` +# and `pull-requests`. +# +# - https://github.com/crowdin/github-action?tab=readme-ov-file#permissions +permissions: + contents: write + pull-requests: write + jobs: synchronize-with-crowdin: runs-on: ubuntu-latest From 0f62c4fa79f3ee75e25d7011ca417cbefaa2c35e Mon Sep 17 00:00:00 2001 From: Manav Rathi Date: Fri, 28 Mar 2025 12:32:05 +0530 Subject: [PATCH 2/5] granular perms / docker-push ref: https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-with-repository-scoped-permissions --- .github/workflows/copycat-db-release.yml | 3 +++ .github/workflows/server-publish-ghcr.yml | 4 ++++ .github/workflows/server-release.yml | 3 +++ .github/workflows/web-publish-ghcr.yml | 4 ++++ 4 files changed, 14 insertions(+) diff --git a/.github/workflows/copycat-db-release.yml b/.github/workflows/copycat-db-release.yml index 5ec942879d..ab8bac861c 100644 --- a/.github/workflows/copycat-db-release.yml +++ b/.github/workflows/copycat-db-release.yml @@ -3,6 +3,9 @@ name: "Release (copycat-db)" on: workflow_dispatch: # Run manually +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/server-publish-ghcr.yml b/.github/workflows/server-publish-ghcr.yml index 5167f8cc4c..1d2e059208 100644 --- a/.github/workflows/server-publish-ghcr.yml +++ b/.github/workflows/server-publish-ghcr.yml @@ -7,6 +7,10 @@ on: # Run manually if needed to publish out of schedule. workflow_dispatch: +permissions: + contents: read + packages: write + jobs: publish: runs-on: ubuntu-latest diff --git a/.github/workflows/server-release.yml b/.github/workflows/server-release.yml index fa02155300..6db84b1bfc 100644 --- a/.github/workflows/server-release.yml +++ b/.github/workflows/server-release.yml @@ -3,6 +3,9 @@ name: "Release (server)" on: workflow_dispatch: # Run manually +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/web-publish-ghcr.yml b/.github/workflows/web-publish-ghcr.yml index 76c0c3de26..b69a75977f 100644 --- a/.github/workflows/web-publish-ghcr.yml +++ b/.github/workflows/web-publish-ghcr.yml @@ -7,6 +7,10 @@ on: # Run manually if needed to publish out of schedule. workflow_dispatch: +permissions: + contents: read + packages: write + jobs: publish: runs-on: ubuntu-latest From 0e4fa1ad4cf8001b5e894c73181bf0b6349498ee Mon Sep 17 00:00:00 2001 From: Manav Rathi Date: Fri, 28 Mar 2025 12:48:50 +0530 Subject: [PATCH 3/5] ro --- .github/workflows/auth-lint.yml | 5 ++++- .github/workflows/desktop-lint.yml | 3 +++ .github/workflows/docs-deploy.yml | 3 +++ .github/workflows/docs-verify-build.yml | 3 +++ .github/workflows/infra-deploy-staff.yml | 3 +++ .github/workflows/infra-lint-staff.yml | 3 +++ .github/workflows/mobile-lint.yml | 4 +++- .github/workflows/server-lint.yml | 3 +++ .github/workflows/web-deploy-one.yml | 3 +++ .github/workflows/web-deploy-preview.yml | 3 +++ .github/workflows/web-deploy-staging.yml | 3 +++ .github/workflows/web-deploy.yml | 3 +++ .github/workflows/web-lint.yml | 3 +++ 13 files changed, 40 insertions(+), 2 deletions(-) diff --git a/.github/workflows/auth-lint.yml b/.github/workflows/auth-lint.yml index 2deaa285f7..e48317d59f 100644 --- a/.github/workflows/auth-lint.yml +++ b/.github/workflows/auth-lint.yml @@ -10,6 +10,9 @@ on: env: FLUTTER_VERSION: "3.24.3" +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest @@ -30,7 +33,7 @@ jobs: exit 1 fi done - + - name: Verify all icons are less than 20KB run: | find assets/custom-icons -type f -name "*.svg" | while read -r file; do diff --git a/.github/workflows/desktop-lint.yml b/.github/workflows/desktop-lint.yml index 0c24a081ff..8480fabc0d 100644 --- a/.github/workflows/desktop-lint.yml +++ b/.github/workflows/desktop-lint.yml @@ -7,6 +7,9 @@ on: - "desktop/**" - ".github/workflows/desktop-lint.yml" +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index b824fe5c32..1737775726 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -10,6 +10,9 @@ on: # Also allow manually running the workflow workflow_dispatch: +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest diff --git a/.github/workflows/docs-verify-build.yml b/.github/workflows/docs-verify-build.yml index e07f9f973f..a0b4cc359a 100644 --- a/.github/workflows/docs-verify-build.yml +++ b/.github/workflows/docs-verify-build.yml @@ -10,6 +10,9 @@ on: - "docs/**" - ".github/workflows/docs-verify-build.yml" +permissions: + contents: read + jobs: verify-build: runs-on: ubuntu-latest diff --git a/.github/workflows/infra-deploy-staff.yml b/.github/workflows/infra-deploy-staff.yml index dd68a14a26..6f1bf7212e 100644 --- a/.github/workflows/infra-deploy-staff.yml +++ b/.github/workflows/infra-deploy-staff.yml @@ -10,6 +10,9 @@ on: # Also allow manually running the workflow workflow_dispatch: +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/infra-lint-staff.yml b/.github/workflows/infra-lint-staff.yml index 3f3612bd04..ed2189181d 100644 --- a/.github/workflows/infra-lint-staff.yml +++ b/.github/workflows/infra-lint-staff.yml @@ -7,6 +7,9 @@ on: - "infra/staff/**" - ".github/workflows/infra-deploy-staff.yml" +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest diff --git a/.github/workflows/mobile-lint.yml b/.github/workflows/mobile-lint.yml index 1edf5c875e..f404c5a65a 100644 --- a/.github/workflows/mobile-lint.yml +++ b/.github/workflows/mobile-lint.yml @@ -8,9 +8,11 @@ on: - ".github/workflows/mobile-lint.yml" env: - FLUTTER_VERSION: "3.24.3" +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/server-lint.yml b/.github/workflows/server-lint.yml index 2f126899ff..c823f57f9e 100644 --- a/.github/workflows/server-lint.yml +++ b/.github/workflows/server-lint.yml @@ -7,6 +7,9 @@ on: - "server/**" - ".github/workflows/server-lint.yml" +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/web-deploy-one.yml b/.github/workflows/web-deploy-one.yml index 28b9b8d1d1..62711ec7ae 100644 --- a/.github/workflows/web-deploy-one.yml +++ b/.github/workflows/web-deploy-one.yml @@ -15,6 +15,9 @@ on: - "payments" - "photos" +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest diff --git a/.github/workflows/web-deploy-preview.yml b/.github/workflows/web-deploy-preview.yml index fe60ccd36e..3590adac31 100644 --- a/.github/workflows/web-deploy-preview.yml +++ b/.github/workflows/web-deploy-preview.yml @@ -15,6 +15,9 @@ on: - "payments" - "photos" +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest diff --git a/.github/workflows/web-deploy-staging.yml b/.github/workflows/web-deploy-staging.yml index 4ea739324b..dddd03d53d 100644 --- a/.github/workflows/web-deploy-staging.yml +++ b/.github/workflows/web-deploy-staging.yml @@ -11,6 +11,9 @@ on: # Also allow manually running the workflow workflow_dispatch: +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest diff --git a/.github/workflows/web-deploy.yml b/.github/workflows/web-deploy.yml index 2064c13163..18dd252443 100644 --- a/.github/workflows/web-deploy.yml +++ b/.github/workflows/web-deploy.yml @@ -19,6 +19,9 @@ on: # Also allow manually running the workflow workflow_dispatch: +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest diff --git a/.github/workflows/web-lint.yml b/.github/workflows/web-lint.yml index 6eb2454a98..2971bc3718 100644 --- a/.github/workflows/web-lint.yml +++ b/.github/workflows/web-lint.yml @@ -7,6 +7,9 @@ on: - "web/**" - ".github/workflows/web-lint.yml" +permissions: + contents: read + # Cancel in-progress lint runs when a new commit is pushed. concurrency: group: ${{ github.workflow }}-${{ github.ref }} From 875a747e2407ad00eeeb7abe9f617eaa484bd59f Mon Sep 17 00:00:00 2001 From: Manav Rathi Date: Fri, 28 Mar 2025 12:54:15 +0530 Subject: [PATCH 4/5] granular perms / release "only required permissions for the action specified (which is contents: write)" - https://github.com/ncipollo/release-action?tab=readme-ov-file#notes --- .github/workflows/auth-internal-release.yml | 3 +++ .github/workflows/auth-release.yml | 3 +++ .github/workflows/mobile-internal-release.yml | 5 ++++- .github/workflows/mobile-release.yml | 3 +++ desktop/.github/workflows/desktop-release.yml | 3 +++ 5 files changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/auth-internal-release.yml b/.github/workflows/auth-internal-release.yml index 4aec41202f..9668e0e336 100644 --- a/.github/workflows/auth-internal-release.yml +++ b/.github/workflows/auth-internal-release.yml @@ -6,6 +6,9 @@ on: env: FLUTTER_VERSION: "3.24.3" +permissions: + contents: write + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/auth-release.yml b/.github/workflows/auth-release.yml index 337c457cab..697c08efd2 100644 --- a/.github/workflows/auth-release.yml +++ b/.github/workflows/auth-release.yml @@ -31,6 +31,9 @@ on: env: FLUTTER_VERSION: "3.24.3" +permissions: + contents: write + jobs: build-linux-latest: runs-on: ubuntu-latest diff --git a/.github/workflows/mobile-internal-release.yml b/.github/workflows/mobile-internal-release.yml index cbba50064f..b8ef0b2225 100644 --- a/.github/workflows/mobile-internal-release.yml +++ b/.github/workflows/mobile-internal-release.yml @@ -6,6 +6,9 @@ on: env: FLUTTER_VERSION: "3.24.3" +permissions: + contents: write + jobs: build: runs-on: ubuntu-latest @@ -54,7 +57,7 @@ jobs: packageName: io.ente.photos releaseFiles: mobile/build/app/outputs/bundle/playstoreRelease/app-playstore-release.aab track: internal - + - name: Notify Discord uses: sarisia/actions-status-discord@v1 with: diff --git a/.github/workflows/mobile-release.yml b/.github/workflows/mobile-release.yml index 8997f0afbc..e15cd937e9 100644 --- a/.github/workflows/mobile-release.yml +++ b/.github/workflows/mobile-release.yml @@ -11,6 +11,9 @@ on: env: FLUTTER_VERSION: "3.24.3" +permissions: + contents: write + jobs: build: runs-on: ubuntu-latest diff --git a/desktop/.github/workflows/desktop-release.yml b/desktop/.github/workflows/desktop-release.yml index 71d8384660..335de87258 100644 --- a/desktop/.github/workflows/desktop-release.yml +++ b/desktop/.github/workflows/desktop-release.yml @@ -22,6 +22,9 @@ on: tags: - "v[0-9]+.[0-9]+.[0-9]+" +permissions: + contents: write + jobs: release: runs-on: ${{ matrix.os }} From cf7d46fd70630f1ae099f7a5e8cfba0d1c82ea84 Mon Sep 17 00:00:00 2001 From: Manav Rathi Date: Fri, 28 Mar 2025 13:02:19 +0530 Subject: [PATCH 5/5] go-rel ref: https://github.com/wangyoucao577/go-release-action?tab=readme-ov-file#basic-example --- .github/workflows/cli-release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/cli-release.yml b/.github/workflows/cli-release.yml index b126cbd2f0..a31ef00c05 100644 --- a/.github/workflows/cli-release.yml +++ b/.github/workflows/cli-release.yml @@ -12,6 +12,10 @@ on: tags: - "cli-v*" +permissions: + contents: write + packages: write + jobs: draft-release: runs-on: ubuntu-latest