From 5f41bb941f4c0f604c8816b27d11077a5b1082fd Mon Sep 17 00:00:00 2001 From: Xiao Xufeng Date: Mon, 23 Mar 2026 20:58:39 +0800 Subject: [PATCH] ci(github): update workflow permission --- .github/workflows/docker.yml | 3 +++ .github/workflows/issue_comment.yml | 4 ++++ .github/workflows/new_issues.yml | 3 +++ .github/workflows/new_prs.yml | 3 +++ .github/workflows/pr_approved.yml | 4 ++++ .github/workflows/release_zips.yml | 3 +++ 6 files changed, 20 insertions(+) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 02faf43ad9..a6741a401f 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,5 +1,8 @@ name: docker +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/issue_comment.yml b/.github/workflows/issue_comment.yml index 061057dfa4..cb20b3697e 100644 --- a/.github/workflows/issue_comment.yml +++ b/.github/workflows/issue_comment.yml @@ -1,5 +1,9 @@ name: Sync issue comments to JIRA +permissions: + issues: write + pull-requests: write + # This workflow will be triggered when new issue comment is created (including PR comments) on: issue_comment diff --git a/.github/workflows/new_issues.yml b/.github/workflows/new_issues.yml index a27cc8ec4b..67ae258e6b 100644 --- a/.github/workflows/new_issues.yml +++ b/.github/workflows/new_issues.yml @@ -1,5 +1,8 @@ name: Sync issues to Jira +permissions: + issues: write + # This workflow will be triggered when a new issue is opened on: issues diff --git a/.github/workflows/new_prs.yml b/.github/workflows/new_prs.yml index 3000aff80a..115dfad2a8 100644 --- a/.github/workflows/new_prs.yml +++ b/.github/workflows/new_prs.yml @@ -1,5 +1,8 @@ name: Sync remain PRs to Jira +permissions: + pull-requests: write + # This workflow will be triggered every hour, to sync remaining PRs (i.e. PRs with zero comment) to Jira project # Note that, PRs can also get synced when new PR comment is created on: diff --git a/.github/workflows/pr_approved.yml b/.github/workflows/pr_approved.yml index a641a7e501..d2b37f6bf7 100644 --- a/.github/workflows/pr_approved.yml +++ b/.github/workflows/pr_approved.yml @@ -1,4 +1,8 @@ name: Sync approved PRs to internal codebase + +permissions: + contents: read + on: pull_request_target: types: [labeled] diff --git a/.github/workflows/release_zips.yml b/.github/workflows/release_zips.yml index bc2bf7b5c0..ec6bf6976a 100644 --- a/.github/workflows/release_zips.yml +++ b/.github/workflows/release_zips.yml @@ -1,5 +1,8 @@ name: Create zip file with recursive source clone for release +permissions: + contents: write + on: push: tags: