talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

workflows: make requested permissions explicit for create-github-app-token

Browse Source 
Resolves #396875
This commit is contained in:
Wolfgang Walther 2025-04-12 19:10:26 +02:00
parent 98e45db76d
commit 40528439f3
No known key found for this signature in database
GPG Key ID: B39893FA5F65CAE1
4 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/backport.yml vendored
View File

@ -24,6 +24,8 @@ jobs:
with: with:
app-id: ${{ vars.NIXPKGS_CI_APP_ID }} app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
permission-contents: write
permission-pull-requests: write
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:

5
.github/workflows/codeowners-v2.yml vendored
View File

@ -68,6 +68,8 @@ jobs:
with: with:
app-id: ${{ vars.OWNER_RO_APP_ID }} app-id: ${{ vars.OWNER_RO_APP_ID }}
private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }} private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
permission-administration: read
permission-members: read
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
@ -101,6 +103,9 @@ jobs:
with: with:
app-id: ${{ vars.OWNER_APP_ID }} app-id: ${{ vars.OWNER_APP_ID }}
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
permission-administration: read
permission-members: read
permission-pull-requests: write
- name: Build review request package - name: Build review request package
run: nix-build ci -A requestReviews run: nix-build ci -A requestReviews

3
.github/workflows/eval.yml vendored
View File

@ -249,6 +249,9 @@ jobs:
with: with:
app-id: ${{ vars.OWNER_APP_ID }} app-id: ${{ vars.OWNER_APP_ID }}
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
permission-administration: read
permission-members: read
permission-pull-requests: write
- name: Download process result - name: Download process result
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8

2
.github/workflows/periodic-merge.yml vendored
View File

@ -24,6 +24,8 @@ jobs:
with: with:
app-id: ${{ vars.NIXPKGS_CI_APP_ID }} app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
permission-contents: write
permission-pull-requests: write
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2