From 19d78c9d30a665168b47479032561af8ebe78da1 Mon Sep 17 00:00:00 2001
From: DIYgod <i@diygod.me>
Date: Fri, 6 Sep 2024 20:01:53 +0800
Subject: [PATCH] Merge commit from fork

---
 .github/workflows/build-assets.yml     | 3 ---
 .github/workflows/comment-on-issue.yml | 2 ++
 .github/workflows/docker-release.yml   | 1 -
 .github/workflows/docker-test-cont.yml | 2 ++
 .github/workflows/docker-test.yml      | 7 +++----
 .github/workflows/format.yml           | 3 ---
 .github/workflows/issue-command.yml    | 8 ++------
 .github/workflows/lint.yml             | 4 ----
 .github/workflows/npm-publish.yml      | 1 -
 .github/workflows/semgrep.yml          | 4 ----
 .github/workflows/test-full-routes.yml | 3 ---
 .github/workflows/test.yml             | 3 ++-
 12 files changed, 11 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/build-assets.yml b/.github/workflows/build-assets.yml
index a74fa4a63f5ade..e824ab20547146 100644
--- a/.github/workflows/build-assets.yml
+++ b/.github/workflows/build-assets.yml
@@ -8,9 +8,6 @@ on:
     paths:
       - 'lib/**/*.ts'
 
-permissions:
-  contents: read
-
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/comment-on-issue.yml b/.github/workflows/comment-on-issue.yml
index c80d16de9ebd7c..f0fdb344784301 100644
--- a/.github/workflows/comment-on-issue.yml
+++ b/.github/workflows/comment-on-issue.yml
@@ -9,6 +9,8 @@ jobs:
     name: Call maintainers
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      issues: write
     if: github.event.sender.login != 'issuehunt-oss[bot]'
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
index 876a04c706ba37..1d8c5b6bd546d6 100644
--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@@ -32,7 +32,6 @@ jobs:
     timeout-minutes: 60
     permissions:
       packages: write
-      contents: read
       id-token: write
     steps:
       - name: Checkout
diff --git a/.github/workflows/docker-test-cont.yml b/.github/workflows/docker-test-cont.yml
index 51625ae9d739b1..b2c1af20466fcd 100644
--- a/.github/workflows/docker-test-cont.yml
+++ b/.github/workflows/docker-test-cont.yml
@@ -9,6 +9,8 @@ jobs:
   testRoute:
     name: Route test
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     if: ${{ github.event.workflow_run.conclusion == 'success' }} # skip if unsuccessful
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/docker-test.yml b/.github/workflows/docker-test.yml
index 8d589985d1cc96..79144429814db9 100644
--- a/.github/workflows/docker-test.yml
+++ b/.github/workflows/docker-test.yml
@@ -13,10 +13,6 @@ on:
     types: [opened, reopened, synchronize, edited]
   # Please, always create a pull request instead of push to master.
 
-permissions:
-  contents: read
-  pull-requests: write
-
 concurrency:
   group: docker-test-${{ github.ref_name }}
   cancel-in-progress: true
@@ -24,6 +20,9 @@ concurrency:
 jobs:
   test:
     name: Docker build & tests
+    permissions:
+      pull-requests: write
+      attestations: write
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
index a1faa0400eb658..a2ca9899fa5b32 100644
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@@ -5,9 +5,6 @@ on:
     branches:
       - master
 
-permissions:
-  contents: read
-
 jobs:
   format:
     permissions:
diff --git a/.github/workflows/issue-command.yml b/.github/workflows/issue-command.yml
index 6bdd3c421cf5e9..dd497b695422b9 100644
--- a/.github/workflows/issue-command.yml
+++ b/.github/workflows/issue-command.yml
@@ -4,9 +4,6 @@ on:
   issue_comment:
     types: [created]
 
-permissions:
-  contents: read
-
 jobs:
   rebase:
     name: Automatic Rebase
@@ -24,7 +21,7 @@ jobs:
       - name: Automatic Rebase
         uses: cirrus-actions/rebase@1.8
         env:
-          GITHUB_TOKEN: ${{ secrets.TOKEN_SUPER }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   self-assign:
     name: Self Assign
@@ -32,7 +29,6 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     permissions:
-      contents: read
       issues: write
     steps:
       - uses: bdougie/take-action@v1.6.1
@@ -46,8 +42,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     permissions:
-      contents: read
       issues: write
+      attestations: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index abbd5c24c39f63..4f317a38646bd1 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -36,7 +36,6 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     permissions:
-      contents: read
       security-events: write
     steps:
       - uses: actions/checkout@v4
@@ -63,8 +62,6 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     timeout-minutes: 5
-    permissions:
-      pull-requests: read
     steps:
       - uses: amannn/action-semantic-pull-request@v5
         env:
@@ -77,7 +74,6 @@ jobs:
     name: Pull Request Labeler
     if: ${{ github.event_name == 'pull_request_target' && github.actor != 'dependabot[bot]' && github.repository == 'DIYgod/RSSHub' }}
     permissions:
-      contents: read
       pull-requests: write
     runs-on: ubuntu-latest
     timeout-minutes: 5
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 2530deb366721e..c66e85e68326be 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -9,7 +9,6 @@ on:
       - 'lib/**'
 
 permissions:
-  contents: read
   id-token: write
 
 jobs:
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index 3cc83b81f96f15..5fb469de005d95 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -12,9 +12,6 @@ on:
     # random HH:MM to avoid a load spike on GitHub Actions at 00:00
     - cron: 21 20 * * *
 
-permissions:
-  contents: read
-
 jobs:
   semgrep:
     name: Scan
@@ -23,7 +20,6 @@ jobs:
       image: returntocorp/semgrep
     if: (github.triggering_actor != 'dependabot[bot]')
     permissions:
-      contents: read
       security-events: write
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/test-full-routes.yml b/.github/workflows/test-full-routes.yml
index 3c90c06f80c379..ce46651922ba53 100644
--- a/.github/workflows/test-full-routes.yml
+++ b/.github/workflows/test-full-routes.yml
@@ -5,9 +5,6 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
-permissions:
-  contents: read
-
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index da3b96b18bf5b2..e70dd3c8bb7d3a 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -12,7 +12,6 @@ on:
   pull_request: {}
 
 permissions:
-  contents: read
   checks: write
 
 jobs:
@@ -136,6 +135,8 @@ jobs:
   all:
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      attestations: write
     strategy:
       fail-fast: false
       matrix: