From 1d9f0a1f8fb1f5c881ce54b585359b137fc6930e Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sat, 27 Aug 2022 16:13:24 +0100 Subject: [PATCH 01/15] Update close-needs-feedback.yml --- .github/workflows/close-needs-feedback.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/close-needs-feedback.yml b/.github/workflows/close-needs-feedback.yml index 7197598f38c49..579f7153c4beb 100644 --- a/.github/workflows/close-needs-feedback.yml +++ b/.github/workflows/close-needs-feedback.yml @@ -4,10 +4,16 @@ on: schedule: - cron: "0 0 * * *" +# top level permissions for all jobs +# each job gets its own specific write permission +permissions: {} # none + jobs: build: if: github.repository_owner == 'php' runs-on: ubuntu-latest + permissions: + issues: write steps: - name: Close old issues that need feedback uses: dwieeb/needs-reply@v2 From 03a0b09b31f40d2e700f50596269501853b95aff Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sat, 27 Aug 2022 19:41:25 +0100 Subject: [PATCH 02/15] Update push.yml --- .github/workflows/push.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 38dad5e8f8fda..e8b6e9b8b03a2 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -17,6 +17,7 @@ on: pull_request: branches: - '**' +permissions: {} # none jobs: LINUX_X64: strategy: @@ -29,6 +30,8 @@ jobs: zts: true name: "LINUX_X64_${{ matrix.debug && 'DEBUG' || 'RELEASE' }}_${{ matrix.zts && 'ZTS' || 'NTS' }}" runs-on: ubuntu-20.04 + permissions: + contents: read steps: - name: git checkout uses: actions/checkout@v2 @@ -66,6 +69,8 @@ jobs: uses: ./.github/actions/verify-generated-files MACOS_DEBUG_NTS: runs-on: macos-11 + permissions: + contents: read steps: - name: git checkout uses: actions/checkout@v2 From a1225d488a4630eb8c020dc10140740e630d209c Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sat, 27 Aug 2022 19:47:34 +0100 Subject: [PATCH 03/15] Update close-stale-feature-requests.yml --- .github/workflows/close-stale-feature-requests.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/close-stale-feature-requests.yml b/.github/workflows/close-stale-feature-requests.yml index b6727dc2401d5..53a78e442ce7d 100644 --- a/.github/workflows/close-stale-feature-requests.yml +++ b/.github/workflows/close-stale-feature-requests.yml @@ -4,10 +4,14 @@ on: schedule: - cron: "0 0 * * *" +permissions: {} # none + jobs: stale: if: github.repository_owner == 'php' runs-on: ubuntu-latest + permissions: + issues: write steps: - uses: actions/stale@v4 with: From 3382d28bf789a19ecc1ae260bc25d8d204d446e3 Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sat, 27 Aug 2022 20:11:55 +0100 Subject: [PATCH 04/15] Update close-stale-feature-requests.yml --- .github/workflows/close-stale-feature-requests.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/close-stale-feature-requests.yml b/.github/workflows/close-stale-feature-requests.yml index 53a78e442ce7d..398ac91b7e2db 100644 --- a/.github/workflows/close-stale-feature-requests.yml +++ b/.github/workflows/close-stale-feature-requests.yml @@ -12,6 +12,7 @@ jobs: runs-on: ubuntu-latest permissions: issues: write + pull-requests: write steps: - uses: actions/stale@v4 with: From bc4a36e6bda59202b2bdfa88f0c17c1f093b8a53 Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sat, 27 Aug 2022 20:13:23 +0100 Subject: [PATCH 05/15] Update close-stale-prs.yml --- .github/workflows/close-stale-prs.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/close-stale-prs.yml b/.github/workflows/close-stale-prs.yml index e5fbacff5d152..cc4442dda56c9 100644 --- a/.github/workflows/close-stale-prs.yml +++ b/.github/workflows/close-stale-prs.yml @@ -4,10 +4,15 @@ on: schedule: - cron: "0 0 * * *" +permissions: {} # none + jobs: stale: if: github.repository_owner == 'php' runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions/stale@v4 with: From d3024616d19ed4e622f5a31eb5fb11f9602e09f5 Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sat, 27 Aug 2022 20:27:22 +0100 Subject: [PATCH 06/15] Update remove-needs-feedback.yml --- .github/workflows/remove-needs-feedback.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/remove-needs-feedback.yml b/.github/workflows/remove-needs-feedback.yml index fded33b442081..d858da39c7c76 100644 --- a/.github/workflows/remove-needs-feedback.yml +++ b/.github/workflows/remove-needs-feedback.yml @@ -5,10 +5,15 @@ on: types: - created +permissions: {} # none + jobs: build: if: "github.repository_owner == 'php' && contains(github.event.issue.labels.*.name, 'Status: Needs Feedback') && github.event.issue.user.login == github.event.sender.login" runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions-ecosystem/action-remove-labels@v1 with: From 421082b5972eb799dd7c1a69288938d0b180a42c Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sat, 27 Aug 2022 20:37:02 +0100 Subject: [PATCH 07/15] Update nightly.yml --- .github/workflows/nightly.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 7bed10529f647..d2e9c7b9b271f 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -3,11 +3,14 @@ on: schedule: - cron: "0 1 * * *" workflow_dispatch: ~ +permissions: {} # none jobs: GENERATE_MATRIX: name: Generate Matrix if: github.repository_owner == 'php' || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest + permissions: + contents: read outputs: branches: ${{ steps.set-matrix.outputs.branches }} asan-matrix: ${{ steps.set-matrix.outputs.asan-matrix }} @@ -42,6 +45,8 @@ jobs: include: ${{ fromJson(needs.GENERATE_MATRIX.outputs.asan-matrix) }} name: "${{ matrix.branch.name }}_LINUX_X64${{ matrix.name }}_${{ matrix.debug && 'DEBUG' || 'RELEASE' }}_${{ matrix.zts && 'ZTS' || 'NTS' }}" runs-on: ubuntu-20.04 + permissions: + contents: read steps: - name: git checkout uses: actions/checkout@v2 @@ -112,6 +117,8 @@ jobs: zts: [true, false] name: "${{ matrix.branch.name }}_MACOS_${{ matrix.debug && 'DEBUG' || 'RELEASE' }}_${{ matrix.zts && 'ZTS' || 'NTS' }}" runs-on: macos-11 + permissions: + contents: read steps: - name: git checkout uses: actions/checkout@v2 @@ -166,6 +173,8 @@ jobs: uses: ./.github/actions/verify-generated-files COVERAGE_DEBUG_NTS: runs-on: ubuntu-20.04 + permissions: + contents: read steps: - name: git checkout uses: actions/checkout@v2 From 0e42d548a3bb7fdffad6b2af57dde8df1d62006b Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sat, 27 Aug 2022 20:40:02 +0100 Subject: [PATCH 08/15] Update close-needs-feedback.yml --- .github/workflows/close-needs-feedback.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/close-needs-feedback.yml b/.github/workflows/close-needs-feedback.yml index 579f7153c4beb..cfbf34d18f2fc 100644 --- a/.github/workflows/close-needs-feedback.yml +++ b/.github/workflows/close-needs-feedback.yml @@ -4,8 +4,6 @@ on: schedule: - cron: "0 0 * * *" -# top level permissions for all jobs -# each job gets its own specific write permission permissions: {} # none jobs: From 9b650e89ecc791eb36a2d13b2759503c3d3f6af0 Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sat, 27 Aug 2022 23:59:57 +0100 Subject: [PATCH 09/15] Update nightly.yml --- .github/workflows/nightly.yml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index d2e9c7b9b271f..13f0dc0864749 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -3,14 +3,13 @@ on: schedule: - cron: "0 1 * * *" workflow_dispatch: ~ -permissions: {} # none +permissions: + contents: read jobs: GENERATE_MATRIX: name: Generate Matrix if: github.repository_owner == 'php' || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest - permissions: - contents: read outputs: branches: ${{ steps.set-matrix.outputs.branches }} asan-matrix: ${{ steps.set-matrix.outputs.asan-matrix }} @@ -45,8 +44,6 @@ jobs: include: ${{ fromJson(needs.GENERATE_MATRIX.outputs.asan-matrix) }} name: "${{ matrix.branch.name }}_LINUX_X64${{ matrix.name }}_${{ matrix.debug && 'DEBUG' || 'RELEASE' }}_${{ matrix.zts && 'ZTS' || 'NTS' }}" runs-on: ubuntu-20.04 - permissions: - contents: read steps: - name: git checkout uses: actions/checkout@v2 @@ -117,8 +114,6 @@ jobs: zts: [true, false] name: "${{ matrix.branch.name }}_MACOS_${{ matrix.debug && 'DEBUG' || 'RELEASE' }}_${{ matrix.zts && 'ZTS' || 'NTS' }}" runs-on: macos-11 - permissions: - contents: read steps: - name: git checkout uses: actions/checkout@v2 @@ -173,8 +168,6 @@ jobs: uses: ./.github/actions/verify-generated-files COVERAGE_DEBUG_NTS: runs-on: ubuntu-20.04 - permissions: - contents: read steps: - name: git checkout uses: actions/checkout@v2 From 10676bcdda52ac2fc1b4445589af30945d4dd899 Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sun, 28 Aug 2022 00:00:52 +0100 Subject: [PATCH 10/15] Update push.yml --- .github/workflows/push.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index e8b6e9b8b03a2..abe9a104429d1 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -17,7 +17,8 @@ on: pull_request: branches: - '**' -permissions: {} # none +permissions: + contents: read jobs: LINUX_X64: strategy: @@ -30,8 +31,6 @@ jobs: zts: true name: "LINUX_X64_${{ matrix.debug && 'DEBUG' || 'RELEASE' }}_${{ matrix.zts && 'ZTS' || 'NTS' }}" runs-on: ubuntu-20.04 - permissions: - contents: read steps: - name: git checkout uses: actions/checkout@v2 @@ -69,8 +68,6 @@ jobs: uses: ./.github/actions/verify-generated-files MACOS_DEBUG_NTS: runs-on: macos-11 - permissions: - contents: read steps: - name: git checkout uses: actions/checkout@v2 From 742e829fce0f4858038d5230c285f9e2faf7414a Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sun, 28 Aug 2022 16:43:09 +0100 Subject: [PATCH 11/15] Update close-needs-feedback.yml --- .github/workflows/close-needs-feedback.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/close-needs-feedback.yml b/.github/workflows/close-needs-feedback.yml index cfbf34d18f2fc..012ecaa31605f 100644 --- a/.github/workflows/close-needs-feedback.yml +++ b/.github/workflows/close-needs-feedback.yml @@ -4,7 +4,8 @@ on: schedule: - cron: "0 0 * * *" -permissions: {} # none +permissions: + contents: read jobs: build: From f27ce8eb0d8fe0ceece614dc56e38df667adb13c Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sun, 28 Aug 2022 16:43:32 +0100 Subject: [PATCH 12/15] Update close-stale-feature-requests.yml --- .github/workflows/close-stale-feature-requests.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/close-stale-feature-requests.yml b/.github/workflows/close-stale-feature-requests.yml index 398ac91b7e2db..685bdced92ec3 100644 --- a/.github/workflows/close-stale-feature-requests.yml +++ b/.github/workflows/close-stale-feature-requests.yml @@ -4,7 +4,8 @@ on: schedule: - cron: "0 0 * * *" -permissions: {} # none +permissions: + contents: read jobs: stale: From 8bc3573ca45024ef7187f5a7a57ab81bfd03d2f9 Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sun, 28 Aug 2022 16:43:56 +0100 Subject: [PATCH 13/15] Update close-stale-prs.yml --- .github/workflows/close-stale-prs.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/close-stale-prs.yml b/.github/workflows/close-stale-prs.yml index cc4442dda56c9..ca4317be1e0f9 100644 --- a/.github/workflows/close-stale-prs.yml +++ b/.github/workflows/close-stale-prs.yml @@ -4,7 +4,8 @@ on: schedule: - cron: "0 0 * * *" -permissions: {} # none +permissions: + contents: read jobs: stale: From 992f3b47055a391381697a16bd0670db138ba8cb Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sun, 28 Aug 2022 16:44:23 +0100 Subject: [PATCH 14/15] Update remove-needs-feedback.yml --- .github/workflows/remove-needs-feedback.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/remove-needs-feedback.yml b/.github/workflows/remove-needs-feedback.yml index d858da39c7c76..8d1ff3e0a0712 100644 --- a/.github/workflows/remove-needs-feedback.yml +++ b/.github/workflows/remove-needs-feedback.yml @@ -5,7 +5,8 @@ on: types: - created -permissions: {} # none +permissions: + contents: read jobs: build: From d141c53bcc5c9fdae0772e3fb4cce05b762211e2 Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sun, 28 Aug 2022 17:20:03 +0100 Subject: [PATCH 15/15] Update .github/workflows/close-needs-feedback.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Michael Voříšek --- .github/workflows/close-needs-feedback.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/close-needs-feedback.yml b/.github/workflows/close-needs-feedback.yml index 012ecaa31605f..27231303f16e5 100644 --- a/.github/workflows/close-needs-feedback.yml +++ b/.github/workflows/close-needs-feedback.yml @@ -13,6 +13,7 @@ jobs: runs-on: ubuntu-latest permissions: issues: write + pull-requests: write steps: - name: Close old issues that need feedback uses: dwieeb/needs-reply@v2