Merge commit from fork

DIYgod · Sep 6, 2024 · 19d78c9 · 19d78c9
1 parent eec0e4a
commit 19d78c9
Show file tree

Hide file tree

Showing 12 changed files with 11 additions and 30 deletions.
diff --git a/.github/workflows/build-assets.yml b/.github/workflows/build-assets.yml
@@ -8,9 +8,6 @@ on:
     paths:
       - 'lib/**/*.ts'
 
-permissions:
-  contents: read
-
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/comment-on-issue.yml b/.github/workflows/comment-on-issue.yml
@@ -9,6 +9,8 @@ jobs:
     name: Call maintainers
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      issues: write
     if: github.event.sender.login != 'issuehunt-oss[bot]'
     steps:
       - uses: actions/checkout@v4

diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
@@ -32,7 +32,6 @@ jobs:
     timeout-minutes: 60
     permissions:
       packages: write
-      contents: read
       id-token: write
     steps:
       - name: Checkout

diff --git a/.github/workflows/docker-test-cont.yml b/.github/workflows/docker-test-cont.yml
@@ -9,6 +9,8 @@ jobs:
   testRoute:
     name: Route test
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     if: ${{ github.event.workflow_run.conclusion == 'success' }} # skip if unsuccessful
     steps:
       - uses: actions/checkout@v4

diff --git a/.github/workflows/docker-test.yml b/.github/workflows/docker-test.yml
@@ -13,17 +13,16 @@ on:
     types: [opened, reopened, synchronize, edited]
   # Please, always create a pull request instead of push to master.
 
-permissions:
-  contents: read
-  pull-requests: write
-
 concurrency:
   group: docker-test-${{ github.ref_name }}
   cancel-in-progress: true
 
 jobs:
   test:
     name: Docker build & tests
+    permissions:
+      pull-requests: write
+      attestations: write
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:

diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
@@ -5,9 +5,6 @@ on:
     branches:
       - master
 
-permissions:
-  contents: read
-
 jobs:
   format:
     permissions:

diff --git a/.github/workflows/issue-command.yml b/.github/workflows/issue-command.yml
@@ -4,9 +4,6 @@ on:
   issue_comment:
     types: [created]
 
-permissions:
-  contents: read
-
 jobs:
   rebase:
     name: Automatic Rebase
@@ -24,15 +21,14 @@ jobs:
       - name: Automatic Rebase
         uses: cirrus-actions/[email protected]
         env:
-          GITHUB_TOKEN: ${{ secrets.TOKEN_SUPER }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   self-assign:
     name: Self Assign
     if: ${{ !github.event.issue.pull_request && startsWith(github.event.comment.body, '/wip') }}
     runs-on: ubuntu-latest
     timeout-minutes: 5
     permissions:
-      contents: read
       issues: write
     steps:
       - uses: bdougie/[email protected]
@@ -46,8 +42,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     permissions:
-      contents: read
       issues: write
+      attestations: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -36,7 +36,6 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     permissions:
-      contents: read
       security-events: write
     steps:
       - uses: actions/checkout@v4
@@ -63,8 +62,6 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     timeout-minutes: 5
-    permissions:
-      pull-requests: read
     steps:
       - uses: amannn/action-semantic-pull-request@v5
         env:
@@ -77,7 +74,6 @@ jobs:
     name: Pull Request Labeler
     if: ${{ github.event_name == 'pull_request_target' && github.actor != 'dependabot[bot]' && github.repository == 'DIYgod/RSSHub' }}
     permissions:
-      contents: read
       pull-requests: write
     runs-on: ubuntu-latest
     timeout-minutes: 5

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -9,7 +9,6 @@ on:
       - 'lib/**'
 
 permissions:
-  contents: read
   id-token: write
 
 jobs:

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -12,9 +12,6 @@ on:
     # random HH:MM to avoid a load spike on GitHub Actions at 00:00
     - cron: 21 20 * * *
 
-permissions:
-  contents: read
-
 jobs:
   semgrep:
     name: Scan
@@ -23,7 +20,6 @@ jobs:
       image: returntocorp/semgrep
     if: (github.triggering_actor != 'dependabot[bot]')
     permissions:
-      contents: read
       security-events: write
     steps:
       - uses: actions/checkout@v4

diff --git a/.github/workflows/test-full-routes.yml b/.github/workflows/test-full-routes.yml
@@ -5,9 +5,6 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
-permissions:
-  contents: read
-
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -12,7 +12,6 @@ on:
   pull_request: {}
 
 permissions:
-  contents: read
   checks: write
 
 jobs:
@@ -136,6 +135,8 @@ jobs:
   all:
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      attestations: write
     strategy:
       fail-fast: false
       matrix: