[github-actions] Reduce workflow token permissions (#63) (#89)

coisa · github-actions[bot] · web-flow · commit 3e009b8a1b5d · 2026-04-18T12:48:57.000-03:00
* Reduce workflow token permissions * Update wiki submodule pointer for PR #89 --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
diff --git a/.github/wiki b/.github/wiki
@@ -1 +1 @@
-Subproject commit fd4afe1e402d2c825bebc99046c1ce0fb810afd1
+Subproject commit 88520483e0019e2e6231783f811da2bee4bd5b49
diff --git a/.github/workflows/label-sync.yml b/.github/workflows/label-sync.yml
@@ -14,6 +14,7 @@ on:
 
 permissions:
   contents: read
+  issues: read
   pull-requests: write
 
 jobs:
diff --git a/.github/workflows/reports.yml b/.github/workflows/reports.yml
@@ -23,8 +23,7 @@ on:
         branches: [ "main" ]
 
 permissions:
-    contents: write
-    pull-requests: write
+    contents: read
 
 concurrency:
     group: ${{ github.event_name == 'pull_request' && format('reports-preview-pr-{0}', github.event.pull_request.number) || 'reports-pages' }}
@@ -35,6 +34,8 @@ jobs:
         if: github.event_name != 'schedule' && !(github.event_name == 'workflow_dispatch' && inputs.cleanup-previews) && (github.event_name != 'pull_request' || github.event.action != 'closed')
         name: Generate Reports
         runs-on: ubuntu-latest
+        permissions:
+            contents: write
 
         env:
             PAGES_ARTIFACT_NAME: ${{ github.event_name == 'pull_request' && format('github-pages-pr-{0}', github.event.pull_request.number) || 'github-pages' }}
@@ -120,8 +121,16 @@ jobs:
                 keep_files: false
                 force_orphan: false
 
+    comment_preview:
+        if: github.event_name == 'pull_request' && github.event.action != 'closed'
+        name: Comment Pull Request Preview URLs
+        needs: reports
+        runs-on: ubuntu-latest
+        permissions:
+            pull-requests: write
+
+        steps:
             - name: Comment preview URLs on pull request
-              if: github.event_name == 'pull_request'
               uses: marocchino/sticky-pull-request-comment@v2
               with:
                 header: pr-preview
@@ -135,6 +144,8 @@ jobs:
         if: github.event_name == 'pull_request' && github.event.action == 'closed'
         name: Cleanup Pull Request Preview
         runs-on: ubuntu-latest
+        permissions:
+            contents: write
 
         steps:
             - name: Checkout gh-pages
@@ -162,6 +173,9 @@ jobs:
         if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.cleanup-previews)
         name: Cleanup Orphaned Pull Request Previews
         runs-on: ubuntu-latest
+        permissions:
+            contents: write
+            pull-requests: read
 
         steps:
             - name: Checkout gh-pages
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -26,9 +26,7 @@ on:
         branches: [ "main" ]
 
 permissions:
-    contents: write
-    pages: write
-    id-token: write
+    contents: read
 
 concurrency:
     group: "pages"
diff --git a/.github/workflows/wiki.yml b/.github/workflows/wiki.yml
@@ -11,8 +11,7 @@ on:
     types: [closed]
 
 permissions:
-  contents: write
-  pull-requests: read
+  contents: read
 
 concurrency:
   group: update-wiki-${{ github.event.pull_request.number || github.ref }}
@@ -23,6 +22,9 @@ jobs:
     name: Update Wiki Preview
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: read
 
     env:
       WIKI_PREVIEW_BRANCH: pr-${{ github.event.pull_request.number }}
@@ -117,6 +119,9 @@ jobs:
     name: Publish Wiki Master
     if: github.event_name == 'pull_request_target' && github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: read
 
     env:
       WIKI_PUBLISH_BRANCH: master
@@ -186,6 +191,8 @@ jobs:
     name: Delete Closed PR Wiki Preview
     if: github.event_name == 'pull_request_target' && github.event.pull_request.merged == false
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
 
     env:
       WIKI_PREVIEW_BRANCH: pr-${{ github.event.pull_request.number }}
@@ -215,6 +222,9 @@ jobs:
     name: Delete Orphaned Wiki Previews
     if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: read
 
     steps:
       - name: Checkout main branch
diff --git a/docs/advanced/branch-protection-and-bot-commits.rst b/docs/advanced/branch-protection-and-bot-commits.rst
@@ -92,6 +92,35 @@ write generated preview commits, update pull request comments, and publish Pages
 content. Keep those permissions scoped to the workflow jobs that actually need
 them.
 
+Workflow Permission Scope
+-------------------------
+
+The reusable workflows default to read-only repository access and grant write
+permissions at the job level when generated content must be pushed or pull
+requests must be updated.
+
+``tests.yml`` only needs ``contents: read`` because it checks out code, installs
+dependencies, and runs PHPUnit.
+
+``reports.yml`` keeps ``contents: write`` on jobs that publish or clean
+``gh-pages`` content. The pull request preview comment runs as a separate job
+with ``pull-requests: write`` because it posts or updates the sticky preview
+comment. Scheduled preview cleanup uses ``pull-requests: read`` so it can
+distinguish open pull requests from closed or merged ones before deleting
+``previews/pr-<number>`` directories.
+
+``wiki.yml`` keeps ``contents: write`` on preview, publish, and cleanup jobs
+because the workflow pushes wiki branches, updates the parent repository
+submodule pointer, promotes preview content to wiki ``master``, and deletes
+stale preview branches. Jobs that inspect pull request state keep
+``pull-requests: read``.
+
+The label synchronization workflow declares ``issues: read`` to copy labels from
+the linked issue and ``pull-requests: write`` to apply those labels to the pull
+request. The auto-assign workflow keeps ``issues: write`` and
+``pull-requests: write`` because assignment is a write operation on both event
+types.
+
 Resolving ``.github/wiki`` Pointer Conflicts
 --------------------------------------------
 
diff --git a/resources/github-actions/label-sync.yml b/resources/github-actions/label-sync.yml
@@ -9,5 +9,7 @@ on:
 jobs:
   label-sync:
     permissions:
+      contents: read
+      issues: read
       pull-requests: write
-    uses: php-fast-forward/dev-tools/.github/workflows/label-sync.yml@main
+    uses: php-fast-forward/dev-tools/.github/workflows/label-sync.yml@main
diff --git a/resources/github-actions/tests.yml b/resources/github-actions/tests.yml
@@ -5,9 +5,7 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: write
-  pages: write
-  id-token: write
+  contents: read
 
 jobs:
   tests:
